Not really. The acl is clearly not a conffile, because there is no default that is correct for a majority of sites. So, it's not appropriate to ship in a package, but instead should be created by a postinst somewhere. (I've been planning to get rid of krb5_newrealm and move realm setup into postinst/config, which may also complicate freeipa).
It seems like you're going to run into the same policy issues with all the KDC bits, and probably the only solution from a policy standpoint is to have cooperation between the packages. Which I'm happy to do. As for the technical issue, yes, it does seem like it would be a good idea to provide a stub ACL template, and one of our postinsts can cause it to get in place. I'm not sure what a good solution is for debconfing realm setup in the simple case, but providing a smoothe user experience for freeipa. I want to get rid of krb5_newrealm, because it means the realm setup dialogue cannot be translated, and because it means realm setup questions cannot easily be preceeded, and because it's an extra step. Part of the answer may be asking the user whether they want automatic configuration, but I'd imagine that question would typically be at priority medium, so not everyone would see it. There's probably some good answer here, and I'd be delighted to brainstorm until we find it. --Sam
