Our network has a Windows 2000 server whose main purpose is to
share files to Windows users. It is an Active Directory server,
but the file-sharing clients are generally not AD clients, but
live in a separate domain. In fact, its AD service generally
is used by one W2K workstation, and four Linux/Solaris machines
running Samba 3. Also notable is the fact that user passwords
on this machine (and thus, to authenticate to the Samba servers
on the Unix boxes) are derived from the NIS passwords on the Unix
network using Microsoft's Unix services. This allows our users to
use a single password for Unix login, Windows login, and SMB

We want to get rid of the Windows machine.

It is easy enough to set up a Samba server on a Unix box that can
share out the files copied from the Windows system, but the problem
is authentication. We do not want plain-text passwords moving
across the network (which, if I understand correctly, precludes
the use of PAM - is this right?); but we also would like to maintain
the single-password usage between the Samba server and the Unix
(currently NIS) logins.

One solution would be to migrate to Kerberos-based authentication
across the board. But if it is possible to get Samba to authenticate
from a Kerberos server, I cannot see how to do it. Using "ADS"
security and a suitable Realm parameter almost works (I had to set
up a 'server$@REALM' principal, and when I try to connect with
smbclient -k it does grant me a ticket for that principal), but it
appears that Samba expects the server to be doing more than just
authenticating with Kerberos.

Am I walking up a blind alley, or is there a way to make this work?
Is there another alternative I have overlooked (e.g., setting up
AD service on an OS X Server machine)?