Samba AD users can forge password change requests for any user. The KDC accepts kpasswd requests encrypted with any key known to it. By encrypting forged kpasswd requests with its own key, a user can change the passwords of other users, enabling full domain takeover.