Here's our current environment:

NW 6.5 SP6 servers
Universal Password is enabled and used
We use IDM 3.5 to sync users and passwords to AD

We have Windows 2000 "domain" controllers (or whatever they're called in
AD). All our workstations are computers in that domain.

So the user has one login and one password.

From reading the manual for CIFS, it sounds like I cannot use Domain
authentication because then it won't let people change their passwords
on the computers? (page 32, 2nd paragraph).

But I can't use local password because our users don't have local
accounts, they're all domain accounts.

Can you not use CIFS to have a single userid/password in an AD Domain?