Comment 13 for bug 369575

Thought about the upgrade process a bit. How about this:

1. kerberos-configs starts generating new krb5.conf files with minimum_uid=1000. Then a little later...

2. libpam-krb5 has minimum_uid removed from pam-configs/krb5. On upgrade, it checks to see if this is in krb5.conf. If yes, great. If no, then copy pam-configs/krb5 to e.g. krb5_old, have pam-auth-update use that instead of the new krb5 profile, and show a warning to the user. The user can dismiss the warning, and nothing changes for him/her. krb5_old sticks around as a conffile (removed if package is purged, but otherwise remains untouched by future upgrades), and the regular krb5 profile doesn't have to be hobbled by backward-compatibility measures.