Please note: The below can nowadays be implemented much easier using FreeIPA.
First I draftet these features, looking for a all-in-one authentication/directory solution to allow users to use singlesignon and some other features:
After some tries the path became clear: OpenLDAP/bind/MIT-kerberos on a server. The common setup in corporations is windows-workplaced hooked into a AD-domain. The setup described here establishes a trust between the AD-server and the OpenLDAP/bind/MIT-kerberos-server, allowing the AD-domain users to use services from the MIT-kerberosrealm like logging in via ssh. Should set this up later using FreeIPA for hosting the LDAP/kerberos services.
With this solution all linux/unix servers are serviced by open software, to ease debugging and operation. Using those components from i.e. RedHat one can get support if needed. Handling of windows-workplaces is done by AD-servers, a crossrealm-setup run by the MIT is apparently supported by Microsoft.
One can use “{SASL}<user>@<REALM>” in the “userPassword” attribute of the users so OpenLDAP uses the saslauthd which is configured with Kerberos as backend. Passwordchanging can be done with the pam_krb5 module.
Host with name1.asd.net and name2.def.org dns-named. Create principals host/name1.asd.net and host/name2.def.org, store them in the keytab. Try setting 'GSSAPIStrictAcceptorCheck no' in sshd_config (this enables sshd to use the principal with name different from the hostname). Patches for this also exist, Quest is also distributing an OpenSSH-version with such a patch.