| 1. | What are the three types of Kerberos principals? |
| 2. | What is the KDC process on Mac OS X Server? |
| 3. | What process is responsible for making changes to the Kerberos database? |
| 4. | Why can the TGT be sent in clear text from the Kerberos client back to the KDC? |
| 5. | Why is it recommended that the /var/db/krb5kdc principal file be secured? |
| 6. | What is the name of the KDC's configuration file? |
| 7. | What is the name of the configuration file of kadmind? |
| 8. | What is SASL and how is it leveraged in Open Directory? |
| 9. | What tool does Password Server use to keep the KDC in sync? What tool does the KDC use? |
| 10. | Why might an administrator choose to disable some Password Server authentication methods? |
| 1. | User (user@REALM), host (host/fqdn@REALM), and service (service/fqdn@REALM) |
| 2. | The KDC process is krb5kdc. |
| 3. | kadmin |
| 4. | The TGT is already encrypted with a key known only to the KDC. The client may pass it around in the clear because it is useless without a session key, which is never passed over the wire unencrypted. |
| 5. | It contains all of the user keys. |
| 6. | kdc.conf |
| 7. | kdc.conf |
| 8. | The Simple Authentication and Security Layer (SASL) is a standard way of negotiating secure authentication- and transport-based protocols such as LDAP and IMAP. It is used by Password Server to provide legacy authentication protocols to Mac OS X Server services. |
| 9. | kadmin.local and mkpassdb |
| 10. | Some are more secure than others. Specifically, APOP requires that the user's password be stored in clear text. |