The Solution the single-authentication problem

Single sign-on across a heterogenous network can be done many ways, only one of which is account synchonization.  

If the network comprises of only popular UNIX based operating systems, eg. a mix of Solaris/Linux/IRIX/AIX/HPUX/OS-X, etc Then you can get away with a simple configuration of the following protocols...
Most UNIX based operating systems use PAM ( Pluggable Authentication Modules ) to control the basic user account issues.

Fig1. PAM use ( oversimplified )
PAM use

PAM is a very capable abstraction layer, and can be used to control all types of user account behavior such as password strength policies, user resource limits, time of day restrictions and many others.  PAM works by simply include a PAM "module" for the protocol you wish to use a your authentication protocol and configuring the PAM parameters for that module.  eg.  LDAP would use module, which comes with most UNIXes.

Throwing Microsoft windows in the mix creates some complications.  Unlike Just about every UNIX in Apple's OSX can natively talk directly to some or all of the authentication services, especially LDAP.  This means an administrator can configure a MacOSX computer to search a LDAP server for user accounts for example.  This can not be done of windows hence the diagram below...  
ldap based network
Notice that there is the "LDAP Account Synchonization" link in the middle between Microsoft windows and "everybody else".

So how do you integrate windows into your single sign-on network?
There are other solutions out there as well.  Many solutions that have you authenticate UNIX servers off Windows 2000 servers using LDAP only, do not allow UNIX users to change passwords using the "passwd" command or a suitable replacement.

A good solution is SAMBA, if it works for your environment.  Since native mode is not officially supported yet, and there are some situations where having a non-windows based PDC complicates things further.  GINA based solutions require you to install software on all windows client machines.  A maintainance headache if you are short on support staff, but very good for small groups of windows clients.  Account synchronization only requires software to be installed on the windows Domain controllers, allows windows clients to use their natural password change dialogs.  But Windows to LDAP link must either stay intact or the sychronization script must have logic to store or deny change request in the circumstance of failure.