diff -Nru opencryptoki-3.21.0+dfsg/debian/changelog opencryptoki-3.21.0+dfsg/debian/changelog
--- opencryptoki-3.21.0+dfsg/debian/changelog	2023-07-07 12:15:35.000000000 +0200
+++ opencryptoki-3.21.0+dfsg/debian/changelog	2023-10-19 18:21:02.000000000 +0200
@@ -1,3 +1,25 @@
+opencryptoki (3.21.0+dfsg-0ubuntu1.1) mantic; urgency=medium
+
+  * Fix opencryptoki package install issue (LP: 2039783)
+    - Add /run/opencryptoki to d/opencryptoki.dirs to hand over folder
+      management to dh.
+    - Remove d/opencryptoki.tmpfile since opencryptoki.conf from build
+      output should be used.
+    - Modify d/opencryptoki.postinst
+      - ensure that pkcs11 is a supplementary group for root
+      - remove uneeded/duplicate chown
+      - reorder commands to reduce (warn) messages
+    - Modify d/opencryptoki.postrm
+      - remove pkcsslotd user before removing pkcs11 group
+        (otherwise it'll never be empty)
+    - Remove obsolete Depends on lsb-base.
+      (package incl. /lib/systemd/system/pkcsslotd.service)
+    - Expand opencryptoki.lintian-overrides to ignore lintian
+      dir-or-file-in-run and dir-or-file-in-var-lock
+      since this is handled by tmpfiles.d/opencryptoki.conf.
+
+ -- Frank Heimes <frank.heimes@canonical.com>  Thu, 19 Oct 2023 18:21:02 +0200
+
 opencryptoki (3.21.0+dfsg-0ubuntu1) mantic; urgency=medium
 
   * New upstream release (LP: #2026732), incl. support for:
diff -Nru opencryptoki-3.21.0+dfsg/debian/control opencryptoki-3.21.0+dfsg/debian/control
--- opencryptoki-3.21.0+dfsg/debian/control	2023-07-07 12:15:35.000000000 +0200
+++ opencryptoki-3.21.0+dfsg/debian/control	2023-10-19 18:21:02.000000000 +0200
@@ -25,7 +25,6 @@
 Depends:
  adduser,
  libopencryptoki0 (= ${binary:Version}),
- lsb-base (>= 3.0-6),
  ${misc:Depends},
  ${shlibs:Depends}
 Multi-Arch: foreign
diff -Nru opencryptoki-3.21.0+dfsg/debian/opencryptoki.dirs opencryptoki-3.21.0+dfsg/debian/opencryptoki.dirs
--- opencryptoki-3.21.0+dfsg/debian/opencryptoki.dirs	2023-07-07 12:15:35.000000000 +0200
+++ opencryptoki-3.21.0+dfsg/debian/opencryptoki.dirs	2023-10-19 14:01:51.000000000 +0200
@@ -12,3 +12,4 @@
 /var/lib/opencryptoki/tpm
 /var/lock/opencryptoki
 /var/log/opencryptoki
+/run/opencryptoki
diff -Nru opencryptoki-3.21.0+dfsg/debian/opencryptoki.lintian-overrides opencryptoki-3.21.0+dfsg/debian/opencryptoki.lintian-overrides
--- opencryptoki-3.21.0+dfsg/debian/opencryptoki.lintian-overrides	2023-07-07 12:15:35.000000000 +0200
+++ opencryptoki-3.21.0+dfsg/debian/opencryptoki.lintian-overrides	2023-10-19 18:21:02.000000000 +0200
@@ -1,2 +1,7 @@
 # Linked code is CPL-1.0 - only Debian packaging is GPL.
 opencryptoki: possible-gpl-code-linked-with-openssl
+# folders reported by lintian (/run/opencryptoki and /var/lock/opencryptoki)
+# are properly handled by tmpfiles.d/opencryptoki.conf
+# (https://www.freedesktop.org/software/systemd/man/latest/tmpfiles.d.html)
+opencryptoki: dir-or-file-in-run
+opencryptoki: dir-or-file-in-var-lock
diff -Nru opencryptoki-3.21.0+dfsg/debian/opencryptoki.postinst opencryptoki-3.21.0+dfsg/debian/opencryptoki.postinst
--- opencryptoki-3.21.0+dfsg/debian/opencryptoki.postinst	2023-07-07 12:15:35.000000000 +0200
+++ opencryptoki-3.21.0+dfsg/debian/opencryptoki.postinst	2023-10-19 18:21:02.000000000 +0200
@@ -5,17 +5,16 @@
 case "${1}" in
 	configure)
 		addgroup --system pkcs11
+		chgrp pkcs11 /run/opencryptoki
 		adduser --system --ingroup pkcs11 --home /run/opencryptoki --shell /usr/sbin/nologin --comment "Opencryptoki pkcsslotd user" pkcsslotd
 
-		adduser root pkcs11
-		chown root:pkcs11 /var/lib/opencryptoki
+		usermod -a -G pkcs11 root
 
 		chown root:pkcs11 /etc/opencryptoki/p11sak_defined_attrs.conf
 		chown root:pkcs11 /etc/opencryptoki/strength.conf
 		chmod 640 /etc/opencryptoki/strength.conf
 
 		chown pkcsslotd:pkcs11 /run/opencryptoki
-		chgrp pkcs11 /run/opencryptoki
 		chmod 0710 /run/opencryptoki
 		chgrp pkcs11 /var/lock/opencryptoki
 		chmod 0770 /var/lock/opencryptoki
diff -Nru opencryptoki-3.21.0+dfsg/debian/opencryptoki.postrm opencryptoki-3.21.0+dfsg/debian/opencryptoki.postrm
--- opencryptoki-3.21.0+dfsg/debian/opencryptoki.postrm	2023-07-07 12:15:35.000000000 +0200
+++ opencryptoki-3.21.0+dfsg/debian/opencryptoki.postrm	2023-10-19 18:21:02.000000000 +0200
@@ -4,7 +4,8 @@
 
 if [ "remove" = "${1}" ]; then
     deluser root pkcs11 || true
-    deluser --group --only-if-empty pkcs11 || true
+    deluser pkcsslotd || true
+    delgroup --group --only-if-empty pkcs11 || true
 fi
 
 #DEBHELPER#
diff -Nru opencryptoki-3.21.0+dfsg/debian/opencryptoki.tmpfile opencryptoki-3.21.0+dfsg/debian/opencryptoki.tmpfile
--- opencryptoki-3.21.0+dfsg/debian/opencryptoki.tmpfile	2023-07-07 12:15:35.000000000 +0200
+++ opencryptoki-3.21.0+dfsg/debian/opencryptoki.tmpfile	1970-01-01 01:00:00.000000000 +0100
@@ -1,21 +0,0 @@
-d /var/lock/opencryptoki 0770 root pkcs11 -
-d /var/lock/opencryptoki/icsf 0770 root pkcs11 -
-d /var/lock/opencryptoki/swtok 0770 root pkcs11 -
-d /var/lock/opencryptoki/tpm 0770 root pkcs11 -
-d /var/lock/opencryptoki/lite 0770 root pkcs11 -
-d /var/lock/opencryptoki/ccatok 0770 root pkcs11 -
-d /var/lock/opencryptoki/ep11tok 0770 root pkcs11 -
-
-d /var/lib/opencryptoki 0770 root pkcs11 -
-d /var/lib/opencryptoki/icsf 0770 root pkcs11 -
-d /var/lib/opencryptoki/swtok 0770 root pkcs11 -
-d /var/lib/opencryptoki/tpm 0770 root pkcs11 -
-d /var/lib/opencryptoki/lite 0770 root pkcs11 -
-d /var/lib/opencryptoki/ccatok 0770 root pkcs11 -
-d /var/lib/opencryptoki/ep11tok 0770 root pkcs11 -
-
-d /var/lib/opencryptoki/icsf/TOK_OBJ 0770 root pkcs11 -
-d /var/lib/opencryptoki/swtok/TOK_OBJ 0770 root pkcs11 -
-d /var/lib/opencryptoki/lite/TOK_OBJ 0770 root pkcs11 -
-d /var/lib/opencryptoki/ccatok/TOK_OBJ 0770 root pkcs11 -
-d /var/lib/opencryptoki/ep11tok/TOK_OBJ 0770 root pkcs11 -