In Red Hat Enterprise Linux 6, Kerberos clients and servers (including KDCs) will default to not using keys for the ciphers
arcfour-hmac-exp. By default, clients will not be able to authenticate to services which have keys of these types.
Most services can have a new set of keys (including keys for use with stronger ciphers) added to their keytabs and experience no downtime, and the ticket granting service's keys can likewise be updated to a set which includes keys for use with stronger ciphers, using the kadmin
cpw -keepold command.
As a temporary workaround, systems that need to continue to use the weaker ciphers require the
allow_weak_crypto option in the libdefaults section of the
/etc/krb5.conf file. This variable is set to false by default, and authentication will fail without having this option enabled:
allow_weak_crypto = yes
Additionally, support for Kerberos IV, both as an available shared library and as a supported authentication mechanism in applications, has been removed. Newly-added support for lockout policies requires a change to the database dump format. Master KDCs which need to dump databases in a format that older KDCs can consume must run kdb5_util's
dump command with the