As far as I know, isn’t likewise an authentication/identify service for Linux that integrates with PAM and NSS?

I don’t see how that could help me with the MAPI situation – with MAPI the client can authenticate directly with the Exchange server. I don’t know how the AD kerberized single-sign-on helps with MAPI, but I’m pretty sure it shouldn’t be needed. Besides – it works, its just extremely crashy. The Fedora bug list currently clocks in at 155 active crash reports (which are just people who went to the bother of setting up a Bugzilla account and submit reports – I for one don’t do that anymore because its annoying).