Kerberos kinit with keytab not working with certain encryption methods -- PER USER
msDS-SupportedEncryptionTypes
will likely differ between the two users.
Get a monospaced font, an flip the bits you want with the documentation in the link above. (AD represents this as decimal via its LDAP interface.)
000000000000IHGF00000000000EDCBA Bit Flag Guide
00000000000000000000000000011000 24 (Decimal) is what you should want for AES only.
00000000000000010000000000011000 65560 (Decimal) is AES only with FAST.
In OpenLDAP this will look like:
$ ldapsearch -h example.com -b DC=example,DC=com,cn=username msDS-SupportedEncryptionTypes
dn: CN=username,OU=Domain Users,DC=example,DC=com
msDS-SupportedEncryptionTypes: 24
From Active Directory Users and Computers
it should look like:
[]