Note that as of version 1.8, clients and servers (including KDCs) will default to not using keys for the ciphers "des-cbc-crc", "des-cbc-md4", "des-cbc-md5", "des-cbc-raw", "des3-cbc-raw", "des-hmac-sha1", and "arcfour-hmac-exp". As a result, by default, clients will not be able to authenticate to services which have keys of only these types. This may include the KDC's ticket granting service.
Most services can have a new set of keys (including keys for use with stronger ciphers) added to their keytabs and experience no downtime, and the ticket granting service's keys can likewise be updated, to a set which includes keys for use with stronger ciphers, using kadmin's "cpw -keepold" command.
As a temporary workaround, systems which need to continue to use the weaker ciphers can be configured with "allow_weak_crypto = yes" in the [libdefaults] section of their respective /etc/krb5.conf files.
As of this writing, NFS, when used with Kerberos authentication, only supports use of DES key types and ciphers. As a result, without the above workaround in place, NFS clients and servers will be unable to authenticate to each other -- attempts to mount NFS filesystems may fail, and the client's rpc.gssd and the server's rpc.svcgssd may log errors indicating that DES encryption types are not permitted.