[OpenAFS] Kerberos V, users, passwd, shadow, alternatives

[Kevin]

Hi All-

I've posted a few questions in the last month or so and 
thanks to those who replied, I'm now up and running 
with a single AFS server running a SuSE 9 distro with 
self-built version 1.2.11 of OpenAFS (SuSE 9 ships 
with 1.2.10) that uses a self-built MIT Kerberos 5, 
v1.3.1 (SuSE 9 ships with heimdal) system for 
authentication.  Thank you for the help!

While I'll admit to not having read all of the 
documentation yet, I have read all of the conceptual 
stuff, the QBG, and portions of the administrator's 
reference and administrator's guide.

Naturally, I'm learning as I go and studying the docs 
very carefully, but there's one issue that I'd like to 
ask about because the docs I've read thus far don't 
mention it: the Linux password shadow suite of 
programs.

I searched the archive for this subject and saw a few 
mentions of it, but none recently and none in much 
depth (except in regards to NIS which I'm not using 
and would prefer avoiding unless it makes alot of 
sense to use it).

As would most people I guess, I'd like to have all AFS 
user data (stuff found in /etc/passwd (login shell, 
unix uid, unix gid, Name, home directory), /etc/shadow 
(password and related data), the kerberos database 
(principals and their privileges), openafs acls, 
openafs uid, etc.) be centrally located, universally 
accessible, and easy to maintain.

Based on the docs I've read thus far, I should be 
making a common /etc/passwd file on AFS and merging it 
with each client machine's /etc/passwd file whenever a 
change is made to the AFS /etc/passwd file using cron 
or something.

My question(s) is/are:

Is that still the best way to do this?

And what about /etc/shadow?  Do I need to write a 
script for shadow that is similar to that found in the 
docs on merging the AFS /etc/passwd file with each 
client machine's /etc/passwd file?

For my purposes, except for each client machine's root 
account, I'd like to have all users be authenticated 
from a single (perhaps replicated) source, and not 
have any user accounts on each client machine's local 
authentication source (no local users except 
root---only Kerberos users for the network).

Or even, is there a way to make a "network superuser" 
that would have root access to all client computers?  
Or is that a bad idea?  What do people do for the root 
password on each client machine when there are 
hundreds (or more) client machines?  Make them all the 
same?  Keep a database of machines and their root 
passwords handy?  Just curious...

I'm sure someone else besides me has encountered this 
issue.  Care to share your ideas on the best way to do 
this?  I guess LDAP is an option, but I haven't done 
much with that.  What are others in similar 
circumstances doing?

Oh, and as a final complication, what about throwing 
windows machines into the fray?  I maintain several 
Samba PDCs and their associated networks, and that 
seems to offer a pretty good (though not ideal) model.  
Is it possible to do something similar with Kerberos 
and OpenAFS.  I know there is a way (with native 
Windows code) to have the Windows box be a member of a 
Kerberos Realm and have OS check an MIT Kerberos KDC 
for login authentication, but it doesn't scale well 
(requires changing each client machine's list of users 
with every change in the network user list).  Aside 
from that, am I looking at a definite two-step login 
process for windows machines authenticating against an 
MIT kerberos database and accessing OpenAFS volumes?

Many thanks for any thoughts.

-Kevin