I've been working with both Kerberos and Samba for 20 years. Writing "Yet Another Authentication Management Tool(tm)" sounds unappealing, since there are so many well established and tested ones. I'm actually curious what you found inadequate about Samba, especially if you used the 4.0.x releases which have stabilized the LDAP/Kerberos interactions in effective cross-platform ways.
Now, if our friends over in Debian wanted to improve an underlying Kerberos tool that's used for both Debian and Scientific Linux and other red Hat based systems, I'd look at the "authconfig" tool and its /etc/pam.d interactions, which are very flexible and not well managed. *Try* using "authconfig" to delete the default enabled "
example.com" Kerberos domain from /etc/krb5.conf, or to manage integraiton with upstream Kerberos domains, I dare you, Or try preventing "authconfig" from resetting values which you didn't put in the command line, or getting it to load from an actual configuration file, or to enable local password expiration. It gets crazy out there!
But that's not a Kerberos problem, that's an authconfig and pam.d managemnt problem.