diff -up authconfig-6.2.8/authinfo.py.krb5-include authconfig-6.2.8/authinfo.py
--- authconfig-6.2.8/authinfo.py.krb5-include	2015-07-03 11:52:58.000000000 +0200
+++ authconfig-6.2.8/authinfo.py	2015-07-03 12:47:44.993864700 +0200
@@ -109,6 +109,8 @@ PATH_PAM_SSS = AUTH_MODULE_DIR + "/pam_s
 
 PATH_LIBSSS_AUTOFS = "/usr" + LIBDIR + "/sssd/modules/libsss_autofs.so"
 
+PATH_KRB5_INCLUDEDIR = "/var/lib/sss/pubconf/krb5.include.d/"
+
 PATH_WINBIND_NET = "/usr/bin/net"
 PATH_IPA_CLIENT_INSTALL = "/usr/sbin/ipa-client-install"
 
@@ -3022,6 +3024,8 @@ class AuthInfo:
 		wroteourdomrealm = False
 		wrotedomrealm = False
 		wrotedomrealm2 = False
+		# No dir -> no incdir line, set as if already written
+		wroteincdir = not os.access(PATH_KRB5_INCLUDEDIR, os.R_OK)		
 		section = ""
 		subsection = ""
 		f = None
@@ -3043,6 +3047,12 @@ class AuthInfo:
 			for line in f.file:
 				ls = line.strip()
 
+				if matchLine(ls, "includedir " + PATH_KRB5_INCLUDEDIR):
+					if not wroteincdir:
+						wroteincdir = True
+					else:
+						# already written or should be removed
+						continue
 				# If this is the "kdc" in our realm, replace it with
 				# the values we now have.
 				if (section == "realms" and subsection and subsection == self.kerberosRealm
@@ -3132,6 +3142,9 @@ class AuthInfo:
 					continue
 				# If it's the beginning of a section, record its name.
 				if matchLine(ls, "["):
+					if not wroteincdir:
+						output += "includedir " + PATH_KRB5_INCLUDEDIR + "\n"
+						wroteincdir = True
 					# If the previous section was "realms", and we didn't
 					# see ours, write our realm out.
 					if (section == "realms" and self.kerberosRealm