Basic Concepts in Kerberos
Kerberos client, Kerberos server, application server
In Kerberos, all authentication takes place between clients and servers. So in Kerberos terminology, a "Kerberos client" is any entity that gets a service ticket for a Kerberos service. A client is typically a user, but any principal can be a client (unless for some reason the administrator has explicitly forbidden this principal to be a client).
The term "Kerberos server" generally refers to the Key Distribution Center, or the KDC for short. The KDC implements the Authentication Service (AS) and the Ticket Granting Service (TGS). The KDC has a copy of every password associated with every principal. For this reason, it is absolutely vital that the KDC be as secure as possible.
Most KDC implementations store the principals in a database, so you may hear the term "Kerberos database" applied to the KDC.
For reliability purposes, it is possible to have backup KDCs. These are referred to as slave servers. The slaves all synchronize their databases from the master KDC.
In most Kerberos implementations there is also an administration server which allows remote manipulation of the Kerberos database. This administration server usually runs on the KDC.
The term "application server" generally refers to Kerberized programs that clients communicate with using Kerberos tickets for authentication. For example, the Kerberos telnet daemon (telnetd) is an example of an application server.
理解realm
In theory, the realm name is arbitrary. You can call your realm whatever you want.
However, in practice a Kerberos realm is named by uppercasing the DNS domain name associated with the hosts in the to-be named realm. In other words, if your hosts are all in the foo.org domain, you might call your Kerberos realm FOO.ORG.
If you wish to have more than one Kerberos realm associated with the same DNS domain name, the convention is to create realms that are in the same hierarchy of your DNS domain name. For example, if you wish to have two Kerberos realms in the DNS domain foo.org for Human Resources and Sales, you might create the Kerberos realms HR.FOO.ORG and SALES.FOO.ORG.
The convention to use uppercase for realms names arose out of the desire to easily distinguish between DNS domain names (which are actually case-insensitive) and Kerberos realms. The Kerberos realm name is case sensitive (the realm foo.org is different than the realm FOO.ORG). You are not required to have an uppercase Kerberos realm, but I would strongly advise it.
It is worth noting that the recent revisions to the Kerberos standard have specified that uppercase realm names are preferred and lowercase realm names have been depreciated.
Reference
1. http://technet.microsoft.com/en-us/library/cc780469(v=WS.10).aspx
2. http://www.cmf.nrl.navy.mil/CCS/people/kenh/kerberos-faq.html