Who Am I ?¶
5/27/14 - Information here is obsolete, please see: https://cdcvs.fnal.gov/redmine/projects/fife/wiki/Welcome_New_Computing_Users
As noted in Authentication you have a single Fermilab user name.
Its use varies depending on what you are doing.
We will give a summary here for each of the 5 security realms,
in order of simplicity ( Windows, Services, AFS, SSL Certs, Kerberos )
Use the standard username. Not discussed here
Use the standard username and Services password when connecting to any of these web services.
You need an AFS token for access to /afs/fnal.gov/...
You get this automatically when ssh'ing to a interactive system.
View it with 'tokens'
User's (AFS ID 1060) tokens for firstname.lastname@example.org [Expires Mar 12 12:40]
These do expire. Renew by doing kinit.
AFS has a klog command which used to give a token using a separate AFS password. This is disabled at Fermilab.
You intially get an OSG cert in your browser, then save this on local disk using a passphrase.
It is up to you to remember that passphrase.
Your certificate is identified by your CN: Common Name field, something like
Firstname Lastname 123
When it is renewed, this identity will be retained, avoiding the need to reregister with services.
You do have a single username, shared with Services etc.
But you may deal with several kerberos principals derived from that username.
- default principal
Kerberos identities are based on a 'princial' which includes that name.
See the output of klist :
Default principal: your-username@FNAL.GOV
You get an active ticket for kerberos access with 'kinit'.
This ticket is a file on local disk, usually in /tmp, see $KRB5CCNAME
- cron principal
Because cron jobs may need a ticket, and you are not there to type a password,
we have a special kcron command to generate a special principaly that looks like
Default principal: your-username/cron/hostname.fnal.gov@FNAL.GOV
- root principal
Some people need to access sensitive accounts,
and may be authorized to have 'root' principals used only briefly.
- service principal
Shared accounts which may have 'service' principals, for which there is no password.
Again, these need to be entered in the appriopriate .k5login files for access.
- .k5login access
These cron and root principals are distinct from your default principals.
If used for access to remote account, they need to be put in your .k5login access file.
your-username@FNAL.GOV your-username/cron/hostname.fnal.gov@FNAL.GOV your-username/root@FNAL.GOV
- KX509 proxies
Access to Grid resources ( jobs, FTP transfers ) is via X509 SSL certificates,
which may be generated from your kerberos ticket.
For job submission, this is handled by the kproxy script.
For file access, you may need to run the 'getcert' command,