The difference in the two cases is that -tmp is requesting a TGT first whereas without -tmp the [email protected] request is being issued directly. In the non -tmp case the KDC replies with a ticket encrypted using aes256-cts-hmac-sha1-96 which is not supported for AFS.
This could be either a bug in klog.krb5 or in Heimdal. I haven't looked at any code yet. In the non -tmp case either klog.krb5 is not requesting des-cbc-crc or Heimdal is forgetting that request when responding to the pre-auth request.
signature.asc
Description: OpenPGP digital signature
