I asked upstream who notes that this is the stuff covered in the Tervoort paper (https://i.blackhat.com/EU-22/Thursday-Briefings/EU-22-Tervoort-Breaking-Kerberos-RC4-Cipher-and-Spoofing-Windows-PACs-wp.pdf) and that, per https://web.mit.edu/kerberos/krb5-1.21/, you have to specifically enable issuance of rc4 (and des3) session keys with new config as of 1.21. Since there has to be a knob to let people enable the weak behavior in case they are completely broken without it, that seems like it should count as fixed for trixie and sid. The paper also talks about attacks against the PAC, and upstream says there was a fair bit of work in 1.21 to tackle things on the PAC side as well.
I have not attempted to take a look at how much work it would be to extract those changes for backport to stable. -Ben
