> So I was looking for alternatives. MS's SFU ssod looks ok but only
> supports NIS password changes (out of the box). I don't suppose anyone
> has changed ssod to support Kerberos password changes.


I guess you already have an AD, so you don't need either CEDAR nor
password sync. The only thing you need is the schema extension from
SFU (not the NIS thing). Using pam-krb5 and nss-ldap will give you a
high degree of integration, at least as good as with any password
replication and much easier. If you want to turn unix
workstations/servers domain members, you can choose from adkadmin
(http://www.css-security.com/cgi-bin/dnld_list.pl), ktpass.exe (from
W2K support tools, don't remember the exact name) or samba (>=3).
I made such setup with a 2003 AD around 2004 and it worked fine. I did
even got an apache server as domain "member", allowing GSSAPI and
single-sign-on.

> Or knows of a better password change hook in windows (and not too
> pricey).


On the non-open world you have vintela (never used and no idea about price)