If you do not use AES-256, you must remove the AES-256 settings as an allowed cipher for each Kerberos principal and then regenerate the keys for the krbtgt principal.
These methods require Kerberos 5-1.2 on the KDC.
Remove AES-256 settings in one of the following ways:
If you have not created the principals, use the -e flag to specify encryption:salt type pairs. For example: -e "arcfour-hmac:normal des3-hmac-sha1:normal".
If you have already created the principals, modify the Kerberos principals using the -e flag as described above and then recreate the keytab file.
Alternately, you can modify the /etc/krb5kdc/kdc.conf file by removing any entries containing aes256 from the supported_enctypes variable for the realm in which the DataStax Enterprise nodes are members. Then change the keys for the krbtgt principal.
If the KDC is used by other applications, changing the krbtgt principal’s keys invalidates any existing tickets. To prevent this, use the -keepold option when executing the change_password command. For example:
'cpw -randkey krbtgt/krbtgt/REALM@REALM'