Fermilab Computing Division
Fermilab Homepage Computing Division Homepage Computing Division Banner

Accounts and Passwords

New Accounts

 On-site Employees

  1. Obtain a Fermilab ID during New Employee Orientation. (required before you can apply for computing accounts).
  2. Read the Fermilab Policy on Computing.
  3. You may then fill out the Request Form for Computing Username and Primary Accounts. This form is used to request any of the following:

 

Contractors

  1. Fill out and get signatures on the Contractor ID form (PDF) and obtain your Contractor ID (required before you can apply for computing accounts).
  2. Read the Fermilab Policy on Computing.
  3. Fill out the Request Form for Computing Username and Primary Accounts  (see above for a list of items which can be requested via this form).

 

On-site Visitors

  1. Fill out and get signatures on the Visitors ID Form (PDF) and obtain your Fermilab Visitor ID (required before you can apply for computing accounts).
  2. Read the Fermilab Policy on Computing.
  3. Fill out the Request Form for Computing Username and Primary Accounts  (see above for a list of items which can be requested via this form).
  4. To renew your visitor ID, please submit a servicedesk ticket and the staff in the User's Office will handle it.

 

Off-site Visitors

    Please read Getting Started as Non-Employee Off-site User.

 

Renewing Accounts

 On-site Employees

Periodically re-read the Fermilab Policy on Computing. Your ID and computer privileges are automatically renewed as long as you remain an employee, but you do need to visit the Key & ID office on the ground floor of Wilson Hall to get a new valid photo ID before it expires. (You will be notified by email prior to expiration.)

To reactivate any of your previous accounts, fill out the form for Reactivating Primary Accounts or your Kerberos Principal.

 Contractors 

  1. Re-read the Fermilab Policy on Computing.
  2. Fill out and get signatures on on the Contractor ID form (PDF) for each contract period, BEFORE your ID expires.  Failure to do so will result in losing your computer account acess.  If this happens, fill out the form for Reactivating Primary Accounts or your Kerberos Principal.  (You will be notified by email prior to expiration.)

 On-site Visitors

  1. Re-read the Fermilab Policy on Computing.
  2. Fill out and get signatures on the Visitors ID Form (PDF) BEFORE your ID expires.  Failure to do so will result in losing your computer account acess.  If this happens, fill out the form for Reactivating Primary Accounts or your Kerberos Principal.  (You will be notified by email prior to expiration.)

Off-site Visitors

  1. Re-read the Fermilab Policy on Computing
  2. Fill out the form Apply to Use Fermilab Computers from Off-Site for Non-Employees.

 

Kerberos Principals

The Kerberos Network Authentication Service V5 is the strong authentication program that Fermilab computers are required to run. All the computers associated with a Kerberos installation make up what's called a "strengthened realm". At Fermilab, the strengthened realm for UNIX machines is called FNAL.GOV; for the Windows domain it is FERMI.WIN.FNAL.GOV.

As a user, you need to obtain a Kerberos Principal for each realm and you must choose a very-hard-to-guess Kerberos password. A principal and a password are used together to authenticate you to a machine configured to be in the realm. Your principals will be of the form principal_name@REALM (e.g., joe@FNAL.GOV and joe@FERMI.WIN.FNAL.GOV).

 

Password Change

Follow the procedure for the appropriate system:

*** On UNIX, the Kerberos V5 password and the AFS password are both changed using a command called kpasswd. For Kerberos, use /usr/krb5/bin/kpasswd. For AFS, use /usr/afsws/bin/kpasswd.

If you have forgotten your password on one of the systems above, you should contact the Service Desk, ext 2345, Wilson Hall ground floor. For all other systems, you need to contact the system administrator. 

Please refer to Password Rules for guidelines in choosing your passwords.

 

Fermilab Email Address

Any Fermilab employee, scientific user, or contractor with a valid Fermilab ID is eligible for a Fermilab email address, username@fnal.gov. You are given one automatically when you obtain a Kerberos principal. Use Request Form for Computing Username and Primary Accounts to apply for these items.

Your Fermilab email address should be used as your primary address to ensure that your mail passes through the Fermilab email gateway. The gateway acts as a distribution point for all electronic mail between "@fnal.gov" and outside systems. The gateway facilitates the transfer of messages between dissimilar mail systems. It also scans all messages originating off-site for virus-infected attachments. The IMAP servers scan every message they receive, including those originating on-site.

The Fermilab mail gateway server doesn't store mail; you will need to set your forward on the gateway server to point to an account on an IMAP/POP server or on a UNIX system (either at Fermilab, your home institution, or an ISP) on which you read your email. (We recommend using one of the IMAP servers; see below.) Then, you should set the forward on all other accounts (on which you don't read mail) to your primary address, e.g., username@fnal.gov. If/when you decide to read your mail on a different machine, you need only set up your new machine to read mail and then set your mail forward on the gateway server to this new machine. (For more detailed information, see Setting Email Forwards .)

 

Services Accounts

A "Services Account" enables you to access a number of important applications at Fermilab with a single username/password. Applications now available via the "Services Account" are: Fermilab Service Desk and Fermilab Exchange Email. Over time, more and more applications will come under the "Services Account" umbrella, such as Fermilab Time and Labor Reporting. Go to the "Services Accounts" page for more information and find out how to get a "Services Account".

 

Windows Accounts

Fermilab's Windows domain is named FERMI.WIN.FNAL.GOV; note the upper case. Desktops, servers and other computing resources that belong to it require authentication to the domain prior to use, Kerberos being the default protocol used. You don't get a domain "account" per se, once you obtain a Kerberos principal using Request Form for Computing Username and Primary Accounts.you will be able to authenticate to this domain and thereby access some subset of the servers and resources, as configured for your group. The available resources include:

  • File storage, backup, virus-checking and disaster recovery
  • Computing Division supported softwares and software patches
  • Email services
  • Wide variety of printers
  • VPN support for remote access

FNALU Accounts

In order to get an account on the central UNIX system FNALU, you will need approval from your supervisor or a scientific spokesman when you fill out the Request Form for FNALU Accounts.

FNALU is a managed resource. If you need dedicated space for your project for a group of people on AFS, please fill up Request Form for AFS Space , small projects may qualify under "Non-Grant Usage " guidelines. If you are part of a group or experiment that already has an approved grant, you may be covered by that grant, so check with your group/experiment first.

Crypto Card

If you need to make network connections to UNIX machines in the FNAL.GOV realm from non-Kerberized machines, you will need a Crypto Card.

Apply for your Crypto Card by filling out Request form for CryptoCard. you will need approval from your supervisor or a scientific spokesman when you fill out the Request Form for FNALU Accounts.

 


Send comments about this page via the suggestion form

Last updated by cdweb 9/02/2009

 This page rendered in 0.2882 seconds