In my company, we're pitching a Kerberos-based solution to authenticate tens of thousands of Linux users to Active Directory. To increase the likelihood of approval by the higher-ups, we really need to eliminate all perceived security holes.
Although preauthentication helps some, Kerberos version 5 is susceptible to offline, brute force, password attacks on the initial AS-REQ. I saw some discussion about this from a few years ago in the archives, but nothing recently. Is there a solution to this issue yet? If not, what progress has been made, and what direction is being taken? I do have some familiarity with MIT Kerberos source code internals, having interfaced some the library's low-level profile and DNS SRV functions to hack out support for Microsoft's extended version of DNS SRV. Depending on how big the task is, I might be able to spend some time at work to code a solution.