While investigating https://github.com/freeipa/freeipa-container/issues/252, I've found out that /etc/krb5.conf on container upgraded from older versions has
pkinit_anchors = FILE:/etc/ipa/ca.crt
while fresh installation on Fedora 27 and Fedora 28 has
pkinit_anchors = FILE:/var/lib/ipa-client/pki/kdc-ca-bundle.pem
pkinit_pool = FILE:/var/lib/ipa-client/pki/ca-bundle.pem
The /etc/krb5.conf does not get updated to match the fresh FreeIPA-on-Fedora 28.
The /etc/krb5.conf does gets updated to match the fresh FreeIPA-on-Fedora 28.
$ rpm -q freeipa-server freeipa-client ipa-server ipa-client 389-ds-base pki-ca krb5-server
package ipa-server is not installed
package ipa-client is not installed
This was upgrade from Fedora 25.
to comment on this ticket.