The default etype list in Kerberos 5 still contains weak etypes like DES, 3DES and RC4. Although the allow_weak_crypto setting is false by default which means these etypes will not be used out-of-box, it's safer to remove them from default etypes as well. This is especially true for customers who only wants to use some of the weak etypes but not all of them. For example, if a customer needs to use RC4 but not DES, they would have to add RC4 to the enctypes lists and set allow_weak_crypto to true at the same time. Without the proposed change, they may only set allow_weak_crypto to true and forget to remove DES from those enctypes lists.