This means that if you compromise the hash of the service you can impersonate users and obtain access on their behalf to the service configured (possible privesc).
Also, you won't only have access to the service that user is able to impersonate, but also to any service that uses the same account as the allowed one (because the SPN is not being checked, only privileges). For example, if you have access to CIFS service you can also have access to HOST service.
Moreover, notice that if you have access to LDAP service on DC, you will have enough privileges to exploit a DCSync.