Until such time that passwords are removed from the shadow file (and even beyond that as some system accounts will retain shadow file passwords to facilitate console logins that won't use the KDC), password updates made from desktop clients need to propagate back to the shadow files.
Password updates made on the Nebula system (eg) need to propagate to the KDC and password updates to the KDC need to propagate to the Nebula system.
The uwpw passwd utility calls a routine called "squirrel" that sends the new password to the KDC to keep the databases synchronized. A server running on the KDC hosts squirrels the password away with a reversable encryption for subsequent database rebuild. At the same time it applies the password updates to the KDC. (done) .
The kadmind server contains a hack that will connect to servers on key systems and pass them new passwords to update local passwords. For the UA passwords, the server will run on carver. (prototype waiting for Kerberos 1.0.5)
The utilities that need to authenticate will be modified to do a faux-Kerberos authentication. Faux-Kerberos validates the password against the KDC, but does not realize the protection that Kerberos provides as passwords are still sent across the wire in plain text and creditials are not maintained, etc.
The uwpw passwd utility on the UA systems will connect to the kadmin server on the KDC to change the kerberos password directly. This will again be faux-Kerberos as the password comes across the wire to the passwd utility in clear text. (ready to go)
The uwpw pwsync utility will not maintain the encrypted (or otherwise) passwords for any of its systems except for special "system" type accounts that need console access or access while the KDC is inaccessible. The shadow files can be truncated. (ready to go)
The rshd utility needs to be changed on AIX to not care about short or nonexistant encrypted password fields. (Code done, but not installed everywhere)