nOnly
the KDC needs to know the user’s password (used to generate the shared
secret)
nYou
can have multiple KDCs for redundancy, but they all need to have a copy of the username/password
database
nOnly
the TGS needs to know the secret keys for the servers
nYou
can split KDC from TGS, but it is common for those two services to reside on the
same physical
machine