local and kerberos passwords (beginner question)

[vadim]

Hallo everybody,

We've got ca. 20 solaris boxes. Passwords on this boxes are not 
synchronized, we do not yet use pam_ldap. Besides of this, passwords
expire every 30 days and as you can imagine, in arbitrary manner.

We have compiled MIT Kerberos and OpenSSH with Heimdal (mainly because
OpenLDAP maling list insists on threading issues in GSSAPI from MIT). 
Now we have SSO. But there is a problem with security policies at our 
campus - if we do not change expired password during 90 days our 
accounts get revoked. What would you do in order to sort out this mess? 
I imagine we

1) have to synchronize our password via pam_ldap
2) synchronize our local passwords with Kerberos password via pam_krb5.

Would it be correct approach? For me it sounds toooooo complicated.

Thanx a lot in advance, vadim tarassov.