For various auditing reasons, we have centralized our passwords into our Active Directory environment. (Also because everybody gets a Windows account, and AD can easily enforce password changes, strong passwords, etc).
Most of our Linux systems are RHEL, and it's very easy to have them use AD for its password store, via kickstart. In the Kickstart file, set the "auth" options to include "--enablekrb5 --krb5kdc=winDC.your.dom.ain:88 --krb5adminserver=winDC.your.dom.ain:749 --krb5realm=YOUR.DOM.AIN"
But of course, Ubuntu doesn't use Kickstart, and if I had many Ubuntu machines to deploy I'd figure out how to set it up automatically. In the mean time, it's not too hard.
sudo apt-get install libpam-krb5 krb5-user kinit myusername # Check that things work sudo pam-auth-update # Tell PAM that you want both KRB and local authentication ssh localhost # Use your windows password to log inAnd then go in and change your /etc/shadow entry to lock out the password you initially set for your username, by changing the encrypted string to *KRB*.