A service account with the special constrained delegation permission could forge a more powerful ticket than the one it was presented with.
Created samba tracking bugs for this issue: Affects: fedora-all [bug 2154322]