http://web.mit.edu/kerberos/krb5-devel/doc/admin/advanced/retiring-des.html "If there remain legacy services which do not support non-DES enctypes (such as AFS), allow_weak_crypto must remain enabled on the KDC." This is not true any more (since July 2013). See OpenAFS.org. -- Regards Georg Sluyterman