I have a lot of boxes that are all local user accounts. We want to start consolidating them into an Active Directory system. (I know... I know.. It has to be Active Directory, not openldap, kerberos or anything like that) I am looking for some way to not only move the accounts, but most importantly move the passwords that are already encrypted.
Is there any sort of PAM libraries or other types of scripts that could be used to just move from one setup to another?
The issue that I see is that local unix passwords are salted hashes. I don't think ActiveDirectory does, and there is no way to get from a salted hash to a plaintext password. To do this you would have to essentially sniff the password as the user enters it and validates it against the hash. You can do this (it may or may not be easy), but it is wrong in principle.
Why are you so reluctant to change passwords? I would investigate that first, because it seems to me that whatever the reason behind that reluctance, it is probably a security concern.
This seems impossible to me as well. This is why, for future reference, people put a lot of effort into Kerberos authentication on Linux boxes, or going full on Windows domain compatibility with Samba/Winbind. It nips this problem in the bud.
So, if your users already have parallel domain accounts they do not use on the Linux boxes, what would be easier is the reverse: getting Kerberos authentication that underlies AD to work on the Linux boxes, and change the PAM to prioritize authentication with AD/Kerb before local authentication subsystems. Not sure if that makes sense, but you have hope if that is possible for you. That is not as bad as it sounds.