Project

General

Profile

Adding Remote Control Rooms

To add a new control room:

  1. Request a new special use principle

The principle should take the form:

nova-controlroom-<INSTITUTION>/nova/nova-daq-01.fnal.gov@FNAL.GOV
  1. Generate the actual keytab files for the new principal

This is done on a linux machine with the following command:

/usr/krb5/sbin/kadmin -p nova-controlroom-<INSTITUTION>/nova/nova-daq-01.fnal.gov@FNAL.GOV -q "ktadd -k nova-controlroom-<INSTITUTION>.keytab nova-controlroom-<INSTITUTION>/nova/nova-daq-01.fnal.gov@FNAL.GOV" -w <password>

Where the Institution should be replaced with the name of the institution and the password is obtained from the security people via the service desk (they will email a one time use password). This will create a keytab file called "nova-controlroom-<INSTITUTION>.keytab" which can be used to generate the kerberos tickets.

Example:

/usr/krb5/sbin/kadmin -p nova-controlroom-indiana/nova/nova-daq-01.fnal.gov@FNAL.GOV        -q "ktadd -k nova-controlroom-indiana.keytab nova-controlroom-indiana/nova/nova-daq-01.fnal.gov@FNAL.GOV" -w Fus734Suf992

Add this principal to the .k5login of the novacr01 account on the gateway machine

Gateway Account Access to
novadaq-far-gateway-01 novacr01,02,03,04 novadaq at fardet/neardet

Note: the .k5login file is owned by root. You must have root access. The .k5login is HARD linked to the .k5login in each of the other DAQ accounts (novacr02, novacr03, etc...)