*** This bug is a duplicate of bug 1772447 ***
https://bugs.launchpad.net/bugs/1772447
I agree with Russ.
On the Debian side, I would not support a change to krb5-kdc to make
/var/lib/krb5kdc world readable.
I think putting the public cert in /etc/krb5kdc is fine: I can make a
case it's config
*** This bug is a duplicate of bug 1772447 ***
https://bugs.launchpad.net/bugs/1772447
keestux writes:
> That anonymous PKINIT is required right now to enable two-factor
> authentication login to web UI because since FreeIPA 4.5 we cannot use
> HTTP service keytab anymore: FreeIPA framework
