I'm a little confused. I just had to turn on allow_weak_crypto in a RHEL6 kerberos client's /etc/krb5.conf to be able to aklog. My understanding was that this setting was only needed on the KDCs, which until now, has been working fine since we upgraded our KDCs to 1.9. Is that just because our other clients are (they are) running sub-1.9 MIT Kerberos so we didn't hit this?