Comment 1 for bug 1791325

There was a discussion on the freeipa users list and Alexander Bokovoy was
kind enough to explain what was happening.

"We need access to the KDC's public certificate in case we are dealing
with a KDC certificate issued by a local certmonger (self-signed) which
is not trusted by the machine.

You can read https://www.freeipa.org/page/V4/Kerberos_PKINIT for
details. A short version is:
--------
When you install 4.5 with --no-pkinit, the installer will generate
self-signed certificate for PKINIT. This certificate is only used and
trusted by IPA Web UI running on the same server to obtain an anonymous
ticket.
--------

That anonymous PKINIT is required right now to enable two-factor
authentication login to web UI because since FreeIPA 4.5 we cannot use
HTTP service keytab anymore: FreeIPA framework lost access to the keytab
due to privilege separation work we did (read
https://vda.li/en/docs/freeipa-debug-privsep/ for details)

Since your KDC PKINIT certificate might be issued by a local self-signed
certmonger 'CA' in case you are not using integrated FreeIPA CA, we have
to be able to trust *that* public KDC certificate when running 'kinit
-n', thus we need access to it. "

He also suggested that this should be changed in Ubuntu. If the directory
/var/lib/krb5kdc becomes readable (perhaps chmod 711) then it would solve
this issue.

The directory /var/lib/krb5kdc is part of the package krb5-kdc.