Dear people,

There is a couple of recipes on the Internet on how to set up Kerberos,
LDAP and DNS to get an authentication realm with single sign-on.
In part, there are nice (although little obsolete) recipes from
Jason Haiss and Turbo Fredriksson, as well as Travis Crawford article
in SAMAG, and some others.

Currently, some IT-people around me have an idea
to (mostly) replace Windows (2000) domain with Kerberos realm.
However there are some problems on their way, like:

1. In Windows, you could log on with cached credentials in case
the DC is unreachable. Then, when a DC becomes reachable,
your Windows may lock your session and force you to revalidate
your password (in case it had been changed on DC from another
session). How would you recommend to reimplement similar
functionality with available open-source/free software ?

2. What mail server (authenticated smtp&imap) and what mail client
(Novell's Evolution?) to choose to make use of KRB single sign-on ?

3. What is better to use as a GUI browser/mounter for
network/SMB shares (with the same single sign-on, of course) ?

In fact, simple end users of information technologies
do not want big disruptions after the migration.
They would like to keep familiar feeling
of being logged in to a domain.

Hoping to get some advises from the competent people in the newsgroup
on the topics above. May be they would become useful augments
to the existing howtos.

Thank you in advance for your replies.