I suppose someone had to post this message at some point, so I thought "why not me?".
Single-Sign-On is widely heralded as the holy grail of computing. So: Microsoft have created the Services For Unix add-on to their popular Windows Server System which adds optional RFC2307 entries into the Active Directory LDAP database (on domain controllers). The important part of this is UID/GID allocation, which the upcoming Samba 3.0.25 will support natively with it's WinBind system. (When Samba is joined to an AD domain winbind will utilise the UID/GID entries set up in the RFC2307 fields.) This effectively means that, if one can come up with a way of entering user data directly into the Active Directory from VirtualMin complete with the RFC2307 entries, single-sign-on with all *ix and Windows boxes in the network will be possible.
Another bonus of this research is that, when you can directly create entries in the AD database from Virtualmin, porting the entire system to a windows server would become somewhat easier, as the user and group creation has already been addressed. The next step in porting to Windows would be to decide whether to use native Windows services (IIS etc.) or install Apache and Postfix on the windows box. When using native Windows systems you don't need to worry about the authentication stuff, as everything has AD auth already built in, and just needs setting up to reference the correct user (tho, I'm unsure about an suexec-type system for Windows). If using Postfix on a windows system, there is the problem of auth data for the SASL stuff along with questions as to where Postfix gets it's list of local users from. MySQL is not a problem as it auths against it's own database. Apache is not a problem if we just use one username for the processes, but there are issues when thinking about suexec. This issue with suexec can be overcome, though, by using the Interix-based POSIX subsystem installed by the Service For Unix package to run Apache in a native POSIX environment with full support for user context switching.
My ideal system is to use Windows as the backing store for files and users/groups, exporting the users and groups to Samba/Winbind, and setting up an NFS file share for the user home directories. Then my CentOS box with Virtualmin on will import the users/groups/files via NFS and Winbind. This would allow me to provision as many windows boxes as I need into the AD domain, and as many Linux boxes authenticating against the AD domain via Samba. This will allow me to set up SSO-based distributed SSH on my mini-cluster (when turned on), have proper network-based auth in my desktop machines running Windows, and finally when I boot a desktop into linux I will be able to login using the same username and password as in windows.