UserAccounts

Home User Accounts Allocations SLURM Hardware Software Filesystems Tape Storage Cluster Status Contact


Job dispatch explained Kerberos & SSH Troubleshooting Tips Data Management Policy Globus Online FAQs



New User Accounts
To access USQCD computing resources at Fermilab users require the following three items: Visitor ID Kerberos account Unix accounts on the LQCD cluster machines Visitor ID and Kerberos account Submit an online application form for a Visitor ID and Kerberos account using this link. In the pulldown menu under: Provide your affiliation select Lattice QCD Fermilab contact name list James Simone Fermilab contact phone list x3748 Fermilab contact email list simone@fnal.gov Unix accounts on the LQCD cluster machines After you have received email with information about your Kerberos account, send email to hpc-admin@fnal.gov to request an account on the LQCD cluster machines. In the email mention your kerberos account name and identify your project name as listed in the allocations table. We also require an email from the PI of the project verifying your affiliation to the project. Existing Allocation / Projects In order to add you to an existing project allocation, we need an email from the project's PI or POC asking that we add your account and associate it with the project. We ask that the user who is requesting the account contact the PI or POC to have them send an email to hpc-admin@fnal.gov. This email should include the user's Kerberos principle and the project name. We can not set up an account unless the request comes from or through the project PI or POC. The current list of allocated projects lists the PI or POC contact person. Once we have that request, we will create a Request ticket to track the work. Our goal is to have the new account ready within two business days. You are now all set to start using the Fermilab LQCD clusters. If you get stuck at any of the above steps please send us an email to lqcd-admin@fnal.gov with detailed explanation of the issue you are facing.
Renewing your Visitor ID and Kerberos account
Your Visitor ID and computer privileges expire at different intervals depending on your classification (employee, contractor, on-site or off-site visitor). Please note that even when your ID or computer privileges expire we do not erase any user data stored on the Fermilab LQCD clusters. If you need to lookup your Vistor ID number then use the Fermilab telephone directory search pages to look for your name. If an entry exists for you and that entry lists a Visitor ID number, record that number for filling out the account renewal application. Details regarding the account renewal process for a visitor can be found at this link. If you still need further assistance please email us at lqcd-admin@fnal.gov
Changing your Kerberos account password
A month before your Kerberos password is set to expire you will receive a reminder email from the Fermilab Service Desk requesting you to change your password as soon as you can. Please do not ignore this reminder email and act upon it as soon as possible. You will lose remote login privileges to the USQCD cluster resources at Fermilab once your Kerberos password has expired. Follow the instructions for changing your Kerberos password as listed in this knowledge base article. If you still need further assistance please email us at lqcd-admin@fnal.gov
Kerberos software installation
Many UNIX systems already have kerberos installed. Use which kinit to see whether this software is already in your path. If not, check if /usr/krb5 or /usr/kerberos directories exist on your workstation - if so, add /usr/kerberos/bin (or the equivalent for krb5) to the front of your path. On RedHat Linux systems (MAC read this), you will need to install the following RPM's (versions will vary): krb5-libs krb5-workstation pam_krb5 If kerberos software is already installed on your system, you will need to modify the configuration file so that your machine knows how to contact the Fermilab key authentication servers. Copy your OS-specific krb5.conf file in /etc. If you are already using kerberos to access another site, for example, NCSA, you will need to modify your existing /etc/krb5.conf file as follows: In the [realms] section, add FNAL.GOV = { kdc = krb-fnal-1.fnal.gov:88 kdc = krb-fnal-2.fnal.gov:88 kdc = krb-fnal-3.fnal.gov:88 kdc = krb-fnal-4.fnal.gov:88 kdc = krb-fnal-5.fnal.gov:88 kdc = krb-fnal-6.fnal.gov:8 admin_server = krb-fnal-admin.fnal.gov master_kdc = krb-fnal-admin.fnal.gov:88 default_domain = fnal.gov } WIN.FNAL.GOV = { kdc = littlebird.win.fnal.gov:88 kdc = bigbird.win.fnal.gov:88 default_domain = fnal.gov }  In the [domain_realm] section, add .fnal.gov = FNAL.GOV .dhcp.fnal.gov = FNAL.GOV A user must have a valid kerberos ticket before they can login to a Fermilab machine. Here is a sample session showing a typical kerberos dialog to obtain a kerberos ticket. johndoe@FNAL.GOV is the kerberos principal. You must use Secure SHell (SSH) that supports Kerberos to remote login. dalrott:~$ kinit -r 7d johndoe@FNAL.GOV Password for johndoe@FNAL.GOV: dalrott:~$ ssh lq.fnal.gov Scientific Linux Fermi SLF release 7.7 (Nitrogen) NOTICE TO USERS This is a Federal computer (and/or it is directly connected to a Fermilab local network system) that is the property of the United States Government. It is for . . . . <---snip---> lq:~$ Please note: You should only kinit on your local machine, from its console. Do not execute kinit over a network connection (e.g. public wireless access point), since this can expose your kerberos password. You will probably want to request renewable tickets since tickets by default expire 24 hours after they are issued unless renewed with kinit -R. Tickets can be renewed for up to 7 days if you request a ticket using kinit -r 7d. The maximum renewable period is 7 days. Use klist to check whether you hold a valid ticket. If you are connecting from home behind a firewall which uses NAT (Network Address Translation), you'll need to use address-less tickets. Most versions of kerberos will give you address-less tickets if you use the -n switch. Other versions of kerberos may use the -A switch. Check your man page for kinit or use kinit --help to see which switch is supported.

Fermi National Accelerator Laboratory Managed by Fermi Research Alliance, LLC for the U.S. Department of Energy Office of Science
Security, Privacy, Legal