Kfw question

[Matt Lists]

Hi... I'm hoping that questions about MIT Kerberos for Windows are
on-topic here.  Apologies in advance if this is not the case.

We have a Samba 3 domain and also separate MIT Krb5 KDCs, where the
principal names match the Samba userids.  On previous Windows XP
machines with Kfw 3.x installed, Kfw would somehow automatically get a
TGT from the KDC when the user logged into the samba domain via the
Windows domain logon dialog.  I always assumed that Kfw somehow had
access to the cleartext password entered by the user, but don't know if
that's true.  (Was there some kind of Windows password cache, or
something via the GINA API?)

Now on Windows 7, I can't seem to get Kfw 3 or 4 to behave the same way
(still the same old Samba 3 domain).  I understand that Kfw 4 can import
credentials from the Windows 7 LSA, but I don't think that will help me,
as we are using old NTLM style authentication rather than AD style, and
thus Windows has no tickets.

I've done a lot of searching to see how to get this to work, but have
come up short.  Is it still possible to do this?  If so, any whacks with
a cluebat would be greatly appreciated.

Thanks in advance,
-Matt