Kerberos kinit with keytab not working with certain encryption methods -- PER USER

msDS-SupportedEncryptionTypes will likely differ between the two users.

Get a monospaced font, an flip the bits you want with the documentation in the link above. (AD represents this as decimal via its LDAP interface.)

000000000000IHGF00000000000EDCBA  Bit Flag Guide
00000000000000000000000000011000  24 (Decimal) is what you should want for AES only.
00000000000000010000000000011000  65560 (Decimal) is AES only with FAST.

In OpenLDAP this will look like:

$ ldapsearch -h example.com -b DC=example,DC=com,cn=username msDS-SupportedEncryptionTypes
dn: CN=username,OU=Domain Users,DC=example,DC=com
msDS-SupportedEncryptionTypes: 24

From Active Directory Users and Computers it should look like:
[AD Dialog Box showing AES Kerberos Options]