Our situation is that I configured our Heimdal Kerberos setup to use libpam-krb5-migrate-heimdal to migrate user accounts from an LDAP server that uses an authentication backend of Active Directory (which we do not have admin control over)...and we use the Active Directory accounts for most of our authentication but we are trying to piggyback Krb5/NFSv4 onto that system.
Initial migration works fine, but the problem is that if a user changes a password in AD then that does not propagate over to our kerberos server. To remedy this I modified the libpam-krb5-migrate-heimdal package for our local use by adding a function from the libkadm5srv8-heimdal package to sync passwords with the LDAP/AD accounts during each log in and it works well. (granted they could use kpasswd but we are trying to keep this as simple for the user as possible) I was wondering if this password syncing would be a good patch I could submit to the Debian community? My idea would be to add another pam module option that would enable this feature if desired.
