There was a discussion on the freeipa users list and Alexander Bokovoy was kind enough to explain what was happening.
"We need access to the KDC's public certificate in case we are dealing with a KDC certificate issued by a local certmonger (self-signed) which is not trusted by the machine. You can read https://www.freeipa.org/page/V4/Kerberos_PKINIT for details. A short version is: -------- When you install 4.5 with --no-pkinit, the installer will generate self-signed certificate for PKINIT. This certificate is only used and trusted by IPA Web UI running on the same server to obtain an anonymous ticket. -------- That anonymous PKINIT is required right now to enable two-factor authentication login to web UI because since FreeIPA 4.5 we cannot use HTTP service keytab anymore: FreeIPA framework lost access to the keytab due to privilege separation work we did (read https://vda.li/en/docs/freeipa-debug-privsep/ for details) Since your KDC PKINIT certificate might be issued by a local self-signed certmonger 'CA' in case you are not using integrated FreeIPA CA, we have to be able to trust *that* public KDC certificate when running 'kinit -n', thus we need access to it. " He also suggested that this should be changed in Ubuntu. If the directory /var/lib/krb5kdc becomes readable (perhaps chmod 711) then it would solve this issue. The directory /var/lib/krb5kdc is part of the package krb5-kdc. ** Also affects: krb5 (Ubuntu) Importance: Undecided Status: New -- You received this bug notification because you are a member of Ubuntu Server/Client Support Team, which is subscribed to krb5 in Ubuntu. Matching subscriptions: Ubuntu Server/Client Support Team https://bugs.launchpad.net/bugs/1791325 Title: freeipa server needs read access /var/lib/krb5kdc To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/freeipa/+bug/1791325/+subscriptions -- Mailing list: https://launchpad.net/~enterprise-support Post to : [email protected] Unsubscribe : https://launchpad.net/~enterprise-support More help : https://help.launchpad.net/ListHelp
