URL: https://github.com/freeipa/freeipa/pull/471
Title: #471: Fix some privilege separation regressions

stlaz commented:
Note that `KRA_AGENT_PEM` will not be moved to the correct folder if KRA is not 
installed but that's fine with me.
`/bin/systemctl status  ipa_memcached.service` still shows the service as 
`running` although there's the strange line `Loaded: not-found (Reason: No such 
file or directory)`. That does not seem ok, should we stop the service as well?

See the full comment at 
