diff -Nru freeipa-4.9.11/debian/changelog freeipa-4.9.11/debian/changelog
--- freeipa-4.9.11/debian/changelog	2023-01-18 16:22:38.000000000 +0000
+++ freeipa-4.9.11/debian/changelog	2023-04-27 14:23:26.000000000 +0000
@@ -1,3 +1,11 @@
+freeipa (4.9.11-2) unstable; urgency=medium
+
+  * client: Fix kerberos support for Java by dropping a duplicate
+    includedir from ipa-client-setup we already get from sssd. (Closes:
+    #1034659)
+
+ -- Timo Aaltonen <tjaalton@debian.org>  Thu, 27 Apr 2023 17:23:26 +0300
+
 freeipa (4.9.11-1) unstable; urgency=medium
 
   * New upstream release. (Closes: #1029070)
diff -Nru freeipa-4.9.11/debian/freeipa-client.postinst freeipa-4.9.11/debian/freeipa-client.postinst
--- freeipa-4.9.11/debian/freeipa-client.postinst	1970-01-01 00:00:00.000000000 +0000
+++ freeipa-4.9.11/debian/freeipa-client.postinst	2023-04-27 14:22:01.000000000 +0000
@@ -0,0 +1,21 @@
+#!/bin/sh
+set -e
+
+case "$1" in
+    configure)
+        # drop duplicate include
+        if grep -E -q '/var/lib/sss/pubconf/krb5.include.d/' /etc/krb5.conf  2>/dev/null ; then
+            sed -i '\;includedir /var/lib/sss/pubconf/krb5.include.d;d' /etc/krb5.conf
+        fi
+    ;;
+
+    abort-upgrade|abort-remove|abort-deconfigure)
+    ;;
+
+    *)
+        echo "postinst called with unknown argument \`$1'" >&2
+        exit 1
+    ;;
+esac
+
+#DEBHELPER#
diff -Nru freeipa-4.9.11/debian/patches/drop-duplicate-includedir-from-krb5.conf.patch freeipa-4.9.11/debian/patches/drop-duplicate-includedir-from-krb5.conf.patch
--- freeipa-4.9.11/debian/patches/drop-duplicate-includedir-from-krb5.conf.patch	1970-01-01 00:00:00.000000000 +0000
+++ freeipa-4.9.11/debian/patches/drop-duplicate-includedir-from-krb5.conf.patch	2023-04-27 13:58:35.000000000 +0000
@@ -0,0 +1,84 @@
+From a83ae63578124a6cf101d3609213bedb9a66813d Mon Sep 17 00:00:00 2001
+From: Timo Aaltonen <tjaalton@debian.org>
+Date: Fri, 21 Apr 2023 11:30:20 +0300
+Subject: [PATCH] Drop duplicate includedir from krb5.conf
+
+SSSD already provides a config snippet which includes
+SSSD_PUBCONF_KRB5_INCLUDE_D_DIR, and having both breaks Java.
+
+Add also a dependency on sssd-krb5 for freeipa-client.
+
+https://pagure.io/freeipa/issue/9267
+
+Signed-off-by: Timo Aaltonen <tjaalton@debian.org>
+Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
+Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
+Reviewed-By: Rob Crittenden <rcritten@redhat.com>
+---
+ freeipa.spec.in                  |  7 +++----
+ install/share/krb5.conf.template |  1 -
+ ipaclient/install/client.py      | 13 -------------
+ 3 files changed, 3 insertions(+), 18 deletions(-)
+
+diff --git a/freeipa.spec.in b/freeipa.spec.in
+index 40ca377bf..8e14c5f55 100755
+--- a/freeipa.spec.in
++++ b/freeipa.spec.in
+@@ -702,6 +702,7 @@ Requires: jansson
+ %endif
+ Requires: sssd-ipa >= %{sssd_version}
+ Requires: sssd-idp >= %{sssd_version}
++Requires: sssd-krb5 >= %{sssd_version}
+ Requires: certmonger >= %{certmonger_version}
+ Requires: nss-tools >= %{nss_version}
+ Requires: bind-utils
+@@ -1253,10 +1254,8 @@ if [ $1 -gt 1 ] ; then
+     test -f '/var/lib/ipa-client/sysrestore/sysrestore.index' && restore=$(wc -l '/var/lib/ipa-client/sysrestore/sysrestore.index' | awk '{print $1}')
+ 
+     if [ -f '/etc/sssd/sssd.conf' -a $restore -ge 2 ]; then
+-        if ! grep -E -q '/var/lib/sss/pubconf/krb5.include.d/' /etc/krb5.conf  2>/dev/null ; then
+-            echo "includedir /var/lib/sss/pubconf/krb5.include.d/" > /etc/krb5.conf.ipanew
+-            cat /etc/krb5.conf >> /etc/krb5.conf.ipanew
+-            mv -Z /etc/krb5.conf.ipanew /etc/krb5.conf
++        if grep -E -q '/var/lib/sss/pubconf/krb5.include.d/' /etc/krb5.conf  2>/dev/null ; then
++            sed -i '\;includedir /var/lib/sss/pubconf/krb5.include.d;d' /etc/krb5.conf
+         fi
+     fi
+ 
+diff --git a/install/share/krb5.conf.template b/install/share/krb5.conf.template
+index 4d417416a..37ec8a4c1 100644
+--- a/install/share/krb5.conf.template
++++ b/install/share/krb5.conf.template
+@@ -1,5 +1,4 @@
+ $INCLUDES
+-includedir /var/lib/sss/pubconf/krb5.include.d/
+ 
+ [logging]
+  default = FILE:/var/log/krb5libs.log
+diff --git a/ipaclient/install/client.py b/ipaclient/install/client.py
+index 6e7f17d5b..ef29a2c8a 100644
+--- a/ipaclient/install/client.py
++++ b/ipaclient/install/client.py
+@@ -699,19 +699,6 @@ def configure_krb5_conf(
+             }
+         ])
+ 
+-    # SSSD include dir
+-    if configure_sssd:
+-        if not os.path.exists(paths.SSSD_PUBCONF_KRB5_INCLUDE_D_DIR):
+-            os.makedirs(paths.SSSD_PUBCONF_KRB5_INCLUDE_D_DIR, mode=0o755)
+-        opts.extend([
+-            {
+-                'name': 'includedir',
+-                'type': 'option',
+-                'value': paths.SSSD_PUBCONF_KRB5_INCLUDE_D_DIR,
+-                'delim': ' '
+-            },
+-            krbconf.emptyLine()])
+-
+     # [libdefaults]
+     libopts = [
+         krbconf.setOption('default_realm', cli_realm)
+-- 
+2.39.2
+
diff -Nru freeipa-4.9.11/debian/patches/series freeipa-4.9.11/debian/patches/series
--- freeipa-4.9.11/debian/patches/series	2023-01-18 16:14:09.000000000 +0000
+++ freeipa-4.9.11/debian/patches/series	2023-04-27 14:01:21.000000000 +0000
@@ -1,4 +1,5 @@
 # upstreamed
+drop-duplicate-includedir-from-krb5.conf.patch
 
 # not upstreamable
 dnssec-race-wa.diff