But I have a problem: how to move passwords/auth information from MIT
Kerberos to AD?
You don't. While kerberos hashes have to be the same between systems, because they're used as encryption and decryption keys, none of the public APIs allow setting them directly. Given that AD requires it be given plaintext passwords, and your LDAP/KRB5 install is dutifully discarding that, you need to either wait for a password change or break the cardinal rule and keep passwords around in reversible form at least temporarily, assuming you've got something middleware for sending password changes to OpenLDAP/Kerberos you can instrument.
I understand some kind of delegation between them is possible, but this wouldn't solve my problem? Or can I do AD authentication against a MIT Kerberos KDC?
This is the approach we're considering at the moment. Authenticating to Windows using Kerberos This is known as a cross-realm trust. A few important things to note. Finding an encryption type common to all realms is critical, and will usually depend on AD. The version of AD you're using typically dictates the crypt of the day. The best guide to setting this up I've found actually comes from Microsoft: Kerberos Interoperability Step-by-Step Guide for Windows Server 2003. The key problem I ran into was telling it which encryption type to use for the cross-realm trust, which other guides written a long time ago neglected to mention.
There are 2 ways to do this depending on how comfortable you are.
1) User Windows Easy Transfer under Programs -> System Tools.
This method is very easy,
Login as Local user and use the Easy Transfer program to create an Easy Transfer File
Put the machine on the domain.
Login as Domain user and run the Easy Transfer program to unpack the file
The problem with this method is it involves a copy and depending on how much data they have that can take a while. So what's the fastest way to do it?
2) Move the files from the local user profile to the domain user profile.
Using a move operation in Windows 7 as opposed to a copy is much faster if you are moving between locations on the same hard disk.
The first time you log in with a user a profile is created for them under C:\Users The profile for each user is simply a folder in this directory with their username. If you are using the same user names the new folder will be called "username"."yourdomain". So all you have to do is move all the important files from the old profile to the new profile. Now technically you could just do a select all and move literally all the files from one profile to the other, but I would not suggest it as there are system files that can make things a bit wonky if they don't move correctly.
Most of the good stuff will be in the folders Documents, Favorites (assuming you run IE), Pictures, Video, Music and AppData\Local\Microsoft\Outlook (Appdata is hidden by default) if you have outlook with .PSTs
Best Answer
Unlikely you'll be able to get the passwords out of OpenLDAP unless it operates in a manner different than the typical directory.
What some customers do in this scenario is stand up a middle layer for authentication that first checks the user's password against the source and then writes it to AD if it is valid prior to authenticating them. If you do this with a few key services, over a short period of time you'll capture most of the passwords.