IPA - AD 2003 Trust, Authentication Error

[vanya2803]

I Need IPA (Centos 8) and AD (Windows Server 2003 forest and domain functional level.) trust. Its works on Cerntos 7.
I Install Centos 8 (8.1 or 8.2)
I Install IPA Server with --setup-adtust --enable-compat
I Setup IPA and Windows Server 2008 R2 (Windows Server 2003 forest and domain functional level) trust:
I add trust on windows with New Trust Wizzard user trust-secret
I run ipa add-trust with --trust-secret

I add to /etc/krb5.conf
allow_weak_crypto = true
default_tkt_enctypes = aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96 des-cbc-md5 rc4-hmac
default_tgs_enctypes = aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96 des-cbc-md5 rc4-hmac
add to /etc/krb5.conf.d/crypto-policies
des-cbc-md5 rc4-hmac
I Set Crypto polices to LEGACY (update-crypto-policies --set LEGACY) and reboot

After that:
I can kinit winadmin@ad2003.ad.
I can getent winadmin@ad2003.ad.
I cannot authenticate on client or server - Access denied

/var/log/krb5kdc.log:
TGS_REQ (4 etypes {aes256-cts-hmac-sha1-96(18), aes128-cts-hmac-sha1-96(17), DEPRECATED:des-cbc-md5(3), DEPRECATED:arcfour-hmac(23)}) 10.125.3.11: PROCESS_TGS: authtime 0, etypes {rep=(0)} <unknown client> for host/dc1-main.compat.ad@COMPAT.AD, No matching key in entry

klist -e
Etype (skey, tkt): DEPRECATED:des-cbc-md5, DEPRECATED:arcfour-hmac

In centos 7 klist -e:
Etype (skey, tkt): arcfour-hmac, arcfour-hmac

If I remove des-cbc-md5 from /etc/krb5.conf
klist -e
Etype (skey, tkt): DEPRECATED:arcfour-hmac, DEPRECATED:arcfour-hmac
but can't authenticate with error in /var/log/krb5kdc.log:
TGS_REQ (4 etypes {aes256-cts-hmac-sha1-96(18), aes128-cts-hmac-sha1-96(17), DEPRECATED:des-cbc-md5(3), DEPRECATED:arcfour-hmac(23)}) 10.125.3.11: PROCESS_TGS: authtime 0, etypes {rep=(0)} <unknown client> for host/dc1-main.compat.ad@COMPAT.AD, No matching key in entry