Prepare for Kerberos server changes Jan/Feb 2008
From: Information Technologies Special Bulletins <itbulletin-mailbox@cornell.edu>
Subject: Prepare for Kerberos server changes Jan/Feb 2008
If you maintain services that use CIT's authentication service (Kerberos) or manage firewalls on Cornell campus networks, you need to prepare for a change CIT is making in January/February 2008.
Please see "Details" below for the time line and steps you need to take.
SUMMARY: In January/February 2008, CIT will be moving the Kerberos authentication servers (KDCs) from the current AIX configuration to a Linux environment. Campus service owners will need to check certain system configurations and test their applications during the month of December and the first week of January.
This change combines the need to replace aging hardware with CIT's planned retirement of AIX support. GuestID and ApplicantID authentication services are NOT impacted by this change.
--------
DETAILS
Key dates:
11/29/07 - CIT makes test instance available for campus testing
11/29/07 to 01/06/08 - Service owners do testing and configuration
01/06/08 - CIT moves primary Kerberos authentication server (KDC) to Linux
02/07/08 - CIT moves secondary KDC to Linux
==> Steps that service owners need to complete no later than 1/6/08:
1) Make sure applications using CIT's authentication service are
configured to use the hostnames for both the primary and secondary
KDCs:
kerberos.cit.cornell.edu and kerberos2.cit.cornell.edu
o For Windows: krb5.conf and krb.con
o For Linux, AIX, Solaris, and other Unix clones: krb5.conf and krb.conf. These are usually in /etc
o Do not swap the order of the KDC's in the conf files
2) Make sure applications are NOT using the hardware names Zodiac1
or Zodiac2, or the IP addresses for those servers (132.236.61.52
and 132.236.228.25). If they are, re-configure them with the names
in step 1 instead.
3) Add this new IP address to any firewall, ipsec, or ipfilter rules
allowing traffic to the current KDCs:
132.236.200.0/24
(This is in addition to the IP addresses for the current KDCs:
132.236.61.52 and 132.236.228.25.)
4) Verify test instances of your applications against the test KDCs:
kerberos.test.login.cornell.edu
kerberos2.test.login.cornell.edu
Make sure authentication is working. If you experience any
problems, report them to idmgmt@cornell.edu
After February 7, 2008, when the cutover to the new KDCs should be complete, campus service owners and network administrators can safely modify rules to disallow the old KDCs.
==> Steps that CIT will be taking to ensure as smooth a cutover as possible:
* CIT will modify CIT-maintained ACLs to allow traffic from the
new KDCs and will notify network administrators. After Feb. 7,
2008, when the cutover to the new KDCs should be complete,
CIT will modify ACLs to disallow the old KDCs and will notify
network administrators.
* CIT will test whether the change will be transparent for the
standard Windows and Macintosh firewall configurations.
* CIT will monitor logs on the secondary KDC after the cutover of
the primary KDC to identify applications that have not yet
been configured for the new KDCs. CIT will contact the individuals
responsible for these hosts to help them make the necessary changes.
* CIT will send additional communications and reminders as key
dates approach.
* CIT will send general campus communications regarding the change
and what people can expect on each cutover date.
If you have any questions or concerns, please let us know at idmgmt@cornell.edu