Option -mapUser useraccount@domain.com tells ktpass to store 'principal' in attribute userPrincipalName of this user in Active Directory, so that Active Directory would be able to find it, when clients ask for KerberosServiceTicket for this 'principal' and issue such ticket.
-mapUser specifies name of a user, which represents your service in Active Directory.
Using ktpass you're doing two things: generating keytab for your service (so that it could open Kerberos tickets received from clients, i.e. authenticate them), and registering principal in Active Directory (so that clients could get tickets for service at all).
In jaas.config file you specify just one principal name (for service), not for the clients. Once user logs into Active Directory domain, he/she has right to get service ticket for your service.