It's another piece of software - livy in this case, that is kinit-ing as the service principal.
In this case it's the HTTP SPN for SPNego that's being used; it looks like the CM kerberization wizard puts an HTTP SPN in AD for each host, but then as passwords are not published for the user account that's been mapped, there's no way of accessing it.
I can't create a new SPN in AD, as one already exists for the service/host combination I need.
There are no services using the HTTP SPN currently, as the node I'm working on is a gateway, but I don't want to start changing passwords (and I believe (although not absolutely sure!) using ktpass to remap the user will create a new password?)