1. Authentication Scheme
Regarding the exact authentication mechanism on HCoop:
We have Kerberos and LDAP working. Kerberos holds user "principals" (account names + passwords), while LDAP keeps account names plus everything else (such as UIDs, GIDs, home directories, real names, permissions etc.). General policy is: all users have LDAP accounts and a Kerberos principal. Admins have passwd file account and a Kerberos principal. When needed, admins can also create a pure local-files-based account.
The whole authentication work is performed though a series of PAM (Pluggable Authentication Modules) configuration directives. PAM has four "management groups", listed in most-common order of execution: auth, account, session, and password. (The exact order of execution is controlled by the order of lines in /etc/pam.d/* files, with each file corresponding to a particular service).
Auth is concerned with actual username/password verification in the database. In our setup, when users type in the password, it is verified against the Kerberos database. If three attempts are unsuccessful, another prompt is displayed, allowing a user to enter Unix passwd file password. (Only administrators who create a local account would have one). Then, pam_env is invoked, which reads /etc/security/pam_env.conf. That way you can initialize environment variables in the user session. (Have in mind that, since this is done locally on a system, it doesn't play well with our "write-once read-many" idea of an infrastructure. We should discuss this at some point).
Account checks things like password aging etc. If the user has an LDAP account, then the Kerberos account module is invoked which checks for the list of allowed principals in ~/.k5login. Users with no LDAP account are just checked in the local password files. Then, pam_access is invoked, which reads /etc/security/access.conf. That way you can determine which users (and from where) are allowed to log in.
Session sets up session details. First pam_limits is invoked, imposing limits on users as defined in /etc/security/limits.conf. Then pam_krb5 is invoked which will only succeed if the user has a Kerberos principal. (If it has, it initializes the TGT ticket for them automatically). And then, finally, pam_unix_session is called which just logs session creation (and later session termination) to system log files. At that point, users are logged in.
Password is the management group involved only in changing the password (or whatever the authentication mechanism is). Currently, by default, Kerberos password is changed. Running kpasswd will change the Kerberos password; running passwd will change the local-files password, and will only work for people with pure local accounts.