Zentyal LDAP schema already implements RFC2307 (unfortunately not 2307bis) so you can directly set up NSS to rely on LDAP at least for accounts and groups. Kerberos should be quite easy to.
You can also set up PAM_ldap in case you have some applications not supporting Kerberos.
However, if you currently have NIS domain, there is a couple of things you have to keep in mind:
- RFC2307 instead of RFC2307bis
- only map for passwd and group are implemented (and shadow
but I strongly discourage to read userpassword attribute)
- other NIS services are not implemented
- there is not "host" attribute permitting to centrally control which workstations is authorize for who. (I made a request for new feature about this mast point)