Been making some changes today to our Kerberos configuration -- adding support for some encryption types *other* than the slightly out-of-date DES ;)
"out of date DES" is still the default until I've verified that all of the older 'aklog' binaries have been updated to support the new encryption types; the kerberos libraries that the builds were linked against were rather moldy and oldy, so they don't contain support for the newer enctypes that they'll be seeing. In addition, the newer builds of aklog will support addressless tickets, which is the flavor of the month in KRB5 land.