[OpenAFS] AFS, Kerberos 5, and Windows; questions

[Patrick J. LoPresti]

I have read the Kerberos FAQ and the documentation in the AFS-Kerberos
5 migration kit, and I have some more questions.

Background: I am contemplating an AFS rollout for my site.  I would
like to use a Kerberos 5 KDC, since that appears to be the Right Thing
in the long run.  I need to support Windows NT and 2000 clients (as
well as Linux and Solaris).

Here are my questions.

What are the advantages and disadvantages of including AFS3-salted
keys in the KDC?  If I understand correctly, I would only need such
keys for klog to work; if instead we always use (Kerberos 5) kinit and
aklog, is there any reason to support AFS3-salted keys at all?

What is the recommended way to integrate Windows NT and 2000 clients
into an AFS + Kerberos 5 environment?  (We already have an NT domain
and we do not mind maintaining separate password databases both there
and in the KDC.)  Should I look to klog + krb524d + fakeka(?) to
obtain tokens, or is there a version of kinit + aklog for NT/2000?

On a related note...  When the NT domain and KDC passwords match, it
would be nice if the Windows user did not have to type her password
twice when she logs in.  Is there any prayer of hooking AFS
authentication into the regular Windows login process, or is this a
pipe dream?

Thanks in advance for any answers.

 - Pat