Comment 8 for bug 369575

No no, the goal is not to have Kerberos users with uid < 1000. It's to push minimum_uid higher, so that you can have normal 1000-something-uid local users authenticate without any Kerberos interaction. Same argument as for the root user and ignore_root.

As for doing the upgrade, isn't pam-configs/krb5 a conffile? The user would see what's going on.