Samba client code always requests a forwardable ticket when using Kerberos authentication. This means the target server, which must be in the current or trusted domain/realm, is given a valid general purpose Kerberos "Ticket Granting Ticket" (TGT), which can be used to fully impersonate the authenticated user or service.
The risks of impersonation of the client are similar to the well known risks from forwarding of NTLM credentials, with two important differences:
- NTLM forwarding can and should be mitigated with packet signing
- Kerberos forwarding can only be attempted after the trusted destination server decrypts the ticket.