Fermilab Computing Access

Getting started with computing services at Fermilab

Getting started with computing services at Fermilab describes all of the necessary steps, which may take a full day.

When following the first steps for Introduction to Computing at Fermilab, one is considered an:
  • "Employee" if you are hired by Fermilab.
  • "Contractor" if your hiring business is paid by Fermilab.
  • "On-Site Visitor" if you are hired by your institution but are staying at the Fermilab site to perform research.
  • "Off-Site Visitor" if you are hired by your institution and performing research with Fermilab, but are staying at your home institution.

Some other notes about filling out these forms, you are joining one of these organizations:

The "Fermilab contact person" is one of your spokespersons. Their information can be found on the contact pages linked above.

Be sure to request a FNALU account at the Service Desk (going there in person is fastest!), or via email at . Once this is completed you should be able to access the Fermilab interactive machines, described below

Ask your new collaborators! Brian Rebel ,Mike Kirby, Andrzej Szelc, or anyone nearby!

Renewing Fermilab Computing Accounts and other stuff

Please see Accounts and Passwords to renew your accounts.

Please see Changing Passwords to change your password.

Please see FNALU Accounts if you need a general Fermilab Unix account.

Logging into Fermilab Computers with Kerberos

Users must have a valid kerberos ticket to access Fermilab computing at the time an attempt to log into a Fermilab machine. The ticket is obtained by executing the following command at a terminal prompt:

$ kinit <principal>@FNAL.GOV

where <principal> is the user's kerberos principal (e.g. your uid). If a user is attempting to access the repository from a non-Fermilab machine, the following lines must be in the user's .ssh/config:

Host *
ForwardAgent yes
ForwardX11 yes
ForwardX11Trusted yes
GSSAPIAuthentication yes
GSSAPIDelegateCredentials yes

In case of trouble when connecting via ssh (permission denied error) the reason can be in the OpenSSH client, the following client is compatible with Fermilab Kerberos authentification:
OpenSSH_4.3p2, OpenSSL 0.9.8e-fips-rhel5 01 Jul 2008

One also needs to be sure to have the correct configuration for the /etc/krb5.conf file. The current Fermilab version of this file is available here.

Depending on whether you are behind a NAT translation service, you may need "addressless" tickets. Experiment with the options -a and -A in kinit if you get a permission denied error when ssh'ing in.

It is possible to allow other users (or yourself just on another machine or with another Kerberos identity) to access your account via a .k5login file in your $HOME directory. A warning however: If you create a .k5login file, make sure you put your own username in it or you can be locked out of your own account. It should have the line


in it. Not needed if the file does not exist.

LArIAT Permissions

Once your Kerberos principal and Service accounts are set up following the instructions linked above, you can use the Self-Service page to request a LArIAT account. Navigate to "Request New/Renew Accounts" -> "Affiliation\Experiment Computing Account Request", and from the drop-down menu select "T1034 Liquid Argon/LArIAT" to submit your request for approval. Once this account is approved you should have developer access to the git repository and be able to access the LArIAT virtual machines (lariatgvpm0[N]).