no suitable keys in keytab created in Active Directory

I am trying to build a cross-realm trust between a MIT KDC server ( and an Active Directory 2008 (cloudtest.local). I created a keytab in AD with the following command:

ktpass /out ldap1.keytab /princ lpad1@cloudtest.local /mapuser ldap1 /crypto AES256-SHA1 /ptype KRB5_NT_PRINCIPAL /pass Password2 /target cloudtest.local

Now, on the CentOS server with the MIT KDC (, I am doing:

$ klist -kte ldap1.keytab
Keytab name: FILE:ldap1.keytab
KVNO Timestamp           Principal
---- ------------------- ------------------------------------------------------
   3 01/01/1970 02:00:00 lpad1@cloudtest.local (aes256-cts-hmac-sha1-96)

The first thing to note is the date, which seems equals to epoch (why?). Then, if I try to kinit I am getting the following error:

$ kinit -kt ldap1.keytab ldap1@CLOUDTEST.LOCAL
kinit: Keytab contains no suitable keys for ldap1@CLOUDTEST.LOCAL while getting initial credentials


  • Both KDC and AD support the same encryption types. On KDC side these are aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96 arcfour-hmac-md5 des-cbc-crc des-cbc-md5
  • kinit works fine with keytabs generated by KDC as normal.

What else should I look into or how should I debug this?

Thank you!