Kerberos, you say? Single sign-on?
Have you heard about the LDAP and Kerberos configured as part of setting up samba4ad?
I accidentally enabled SSO SSH a few years back. My samba units aren’t on PIs but they could be. They’re just on tiny tiny VMs.
A LOT of plugins in many projects are a huge concern. I say this as someone who ran security for an OS for a while. It’s just people making bad decisions for everyone and then hand-waving the risks when questioned.