Fix PAM API to not use impersonation for Active Directory
In some patch or another the PAM API was altered to call Active Directory in the callers contexts. Which for Constrained Delegation means you have to add the SPN for LDAP for all your domain controllers.
According to my brief read of the code it seems it only does this to... find the users expiration date.
For AD reads, use the service accounts identity, not impersonation.