> > Okay, so it got added to sssd due to > > > > https://github.com/SSSD/sssd/issues/5893 > > > > so I wonder if ipa should stop doing the same, and remove the line > > from > > krb5.conf on upgrade. > > Seems this is filed upstream already at > > https://pagure.io/freeipa/issue/9267 > > but no fix available yet, so it needs to be fixed downstream first.
Ok, I had missed that it was already filed upstream. Actually, the issue also occurs on RHEL 9. I am well set up to test a patched Debian package if it can be helpful. As I described in the original bug report above, the workaround is either to delete /etc/krb5.conf.d/enable_sssd_conf_dir or to comment the includedir line out. It could be more robust to patch it at this level since /etc/krb5.conf.d/enable_sssd_conf_dir is a static file, while /etc/krb5.conf is modified by ipa-client-install. But on the long run, the upstream fix will probably be at IPA level as you suggested, so maybe it is safer to keep a patch there, and not to impact sssd.