I'm going to push back on the reassignment to krb5.
I think this is a freeipa bug.
Kerberos's systemd service unit is correct for Kerberos.
freeipa is the one that is deciding it wants to change the Kerberos
logging configuration, and thus is the one that should adjust the
permissions.
Honestly I'd rather see this fixed by freeipa not messing around with
Kerberos configs so much, but especially not logging config.
I'm going to push back on the reassignment to krb5.
I think this is a freeipa bug.
Kerberos's systemd service unit is correct for Kerberos.
freeipa is the one that is deciding it wants to change the Kerberos
logging configuration, and thus is the one that should adjust the
permissions.
Honestly I'd rather see this fixed by freeipa not messing around with
Kerberos configs so much, but especially not logging config.