Project

General

Profile

Tips for Accessing Experiment Specific Computing

Thanks to Tia Miceli's MicroBooNE page, and the LarSoft legacy page for much of this information.

If you are new to Fermilab, please look at Welcome New Computing Users to get started.

Background

When reading documentation about Fermilab, it helps to know that users are considered an:

  • "Employee" if hired by Fermilab.
  • "Contractor" if the hiring business is paid by Fermilab.
  • "On-Site Visitor" if hired by your institution but are staying at the Fermilab site to perform research.
  • "Off-Site Visitor" if hired by your institution and performing research with Fermilab, but are staying at your home institution.

The "Fermilab contact person" is one of your spokespersons.

Getting Accounts on Experiment Specific computers

If you need to request an interactive account on your experiment's servers
  • Log into the Service Desk using your Services password.
  • Click on 'Service Catalog' in the left frame.
  • Click on 'Affiliation\Experiment Computing Account Request'
  • Use the 'Select Affiliation/Experiment' dropdown menu
  • If your experiment or project is not listed, request this through 'Create a New Scientific Computing Request'

Most experiments have an option to set up FNALU accounts automatically when people join the experiment and request accounts on the interactive computers (i.e. see the instructions in the previous paragraph). In general, you should request an interactive computer account through your experiment and acquire an FNALU account in that manner. If you definitely know that you need an FNALU account and nothing more, then begin here: https://fermi.service-now.com/kb_view.do?sysparm_article=KB0010797#fnalu

Renewing Accounts

Please see Accounts and Passwords to renew your accounts.

Please see Changing Passwords to change your password.

Logging into Fermilab Computers with Kerberos

For general information on Kerberos, see the web page Authentication or the document Strong Authentication at Fermilab.

Users must have a valid kerberos ticket to log into a Fermilab machine. The ticket is obtained by executing the following command at a terminal prompt:

$ kinit <principal>@FNAL.GOV

where <principal> is the user's kerberos principal (e.g. your uid). If a user is attempting to access the repository from a non-Fermilab machine, the following lines must be in the user's .ssh/config:

Host *.fnal.gov
ForwardAgent yes
ForwardX11 yes
ForwardX11Trusted yes
GSSAPIAuthentication yes
GSSAPIDelegateCredentials yes

If you receive a permission denied error from your OpenSSH client, the following client is compatible with Fermilab Kerberos authentification:
OpenSSH_4.3p2, OpenSSL 0.9.8e-fips-rhel5 01 Jul 2008

Be sure to have the correct configuration for the /etc/krb5.conf file. The current Fermilab version of this file is available at: http://security.fnal.gov/krb5.conf

Depending on whether you are behind a NAT translation service, you may need "addressless" tickets. Experiment with the options -a and -A in kinit if you get a permission denied error when ssh'ing in.

It is possible to allow other users (or yourself just on another machine or with another Kerberos identity) to access your account via a .k5login file in your $HOME directory. If you create a .k5login file, make sure to put your own username in it or you can be locked out of your own account. The line to include is:
<your_Kerberos_principal>@FNAL.GOV

This isn't needed if the file does not exist.

Macintosh Users Tip

It has been seen that MacPorts will install a version of Kerberos in /opt/local/bin that differs from the one that comes with Mac OS X and puts it ahead of the system one in the user's path. This version will run kinit and give you tickets that look fine with klist, but which will not work when ssh'ing in to Fermilab computers. Use the Kerberos utilities that come with Mac OS X instead, in /usr/bin/.