Accounts and Passwords

New Accounts

 On-site Employees

1. Obtain a Fermilab ID during New Employee Orientation. (required before you can apply for computing accounts).
   
2. Read the Fermilab Policy on Computing.
   
3. You may then fill the Request Form for Computing Username and Primary Accounts. This form is used to request any of the following:

• a username for all your computer accounts at the lab
• a Fermilab Email address
• a Kerberos Principal
• a CRYPTOCard
• an IMAP account (for email)
• an account on Fermilab's central UNIX system, FNALU

 Contractors

1. Fill out and get signatures on the Contractor ID form (PDF) and obtain your Contractor ID (required before you can apply for computing accounts).
   
2. Read the Fermilab Policy on Computing.
   
3. Fill out the Request Form for Computing Username and Primary Accounts  (see above for a list of items which can be requested via this form).

 On-site Visitors

1. Fill out and get signatures on the Visitors ID Form (PDF) and obtain your Fermilab Visitor ID (required before you can apply for computing accounts).
2. Read the Fermilab Policy on Computing.
   
3. Fill out the Request Form for Computing Username and Primary Accounts  (see above for a list of items which can be requested via this form).
4. To renew your visitor ID, please submit a helpdesk ticket and the staff in the User's Office will handle it.
   

 Off-site Visitors

1. Read the Fermilab Policy on Computing. 
2. Fill out the form Apply to Use Fermilab Computers from Off-Site for Non-Employees.

Renewing Accounts

 On-site Employees

Periodically re-read the Fermilab Policy on Computing. Your ID and computer privileges are automatically renewed as long as you remain an employee, but you do need to visit the Key & ID office on the ground floor of Wilson Hall to get a new valid photo ID before it expires. (You will be notified by email prior to expiration.)

 Contractors 

1. Re-read the Fermilab Policy on Computing.
   
2. Fill out and get signatures on on the Contractor ID form (PDF) for each contract period, BEFORE your ID expires.  Failure to do so will result in losing your computer account acess.  If this happens, fill out the form for Reactivating Primary Accounts or your Kerberos Principal.  (You will be notified by email prior to expiration.)

 On-site Visitors

1. Re-read the Fermilab Policy on Computing.
   
2. Fill out and get signatures on the Visitors ID Form (PDF) BEFORE your ID expires.  Failure to do so will result in losing your computer account acess.  If this happens, fill out the form for Reactivating Primary Accounts or your Kerberos Principal.  (You will be notified by email prior to expiration.)

Off-site Visitors

1. Re-read the Fermilab Policy on Computing. 
2. Fill out the form, Apply to Use Fermilab Computers from Off-Site for Non-Employees.

Kerberos Principles

The Kerberos Network Authentication Service V5 is the strong authentication program that Fermilab computers are required to run. All the computers associated with a Kerberos installation make up what's called a "strengthened realm". At Fermilab, the strengthened realm for UNIX machines is called FNAL.GOV; for the Windows domain it is FERMI.WIN.FNAL.GOV.

As a user, you need to obtain a Kerberos Principle for each realm and you must choose a very-hard-to-guess Kerberos password. A principle and a password are used together to authenticate you to a machine configured to be in the realm. Your principles will be of the form principle_name@REALM (e.g., joe@FNAL.GOV and joe@FERMI.WIN.FNAL.GOV).

Password Change

For password changes on CD-supported systems, you must know your old password in order to change it to a new one. Follow the procedure for the appropriate system:

• Kerberos V5 (UNIX, FNAL.GOV realm)
• Kerberos V5 (Windows, FERMI.WIN.FNAL.GOV realm)
• Mail server
• imapserver1 - You must enter your username and password to get this page.
• imapserver2   - You must enter your username and password to get this page.
• imapserver3  - You must enter your username and password to get this page.
• FNALU (standard UNIX or AFS): use the same procedure as Kerberos V5 (UNIX, FNAL.GOV realm) to change your password
  

*** On UNIX, the Kerberos V5 password and the AFS password are both changed using a command called kpasswd. For Kerberos, use /usr/krb5/bin/kpasswd. For AFS, use /usr/afsws/bin/kpasswd.

If you have forgotten your password on one of the systems above, you should contact the  Computing Division Helpdesk, ext 2345, Wilson Hall ground floor. For all other systems, you need to contact the system administrator. 

Fermilab Email Addresses

Any Fermilab employee, scientific user, or contractor with a valid Fermilab ID is eligible for a Fermilab email address, username@fnal.gov. You are given one automatically when you obtain a Kerberos principal. Use Request Form for Computing Username and Primary Accounts to apply for these items.

Your Fermilab email address should be used as your primary address to ensure that your mail passes through the Fermilab email gateway. The gateway acts as a distribution point for all electronic mail between "@fnal.gov" and outside systems. The gateway facilitates the transfer of messages between dissimilar mail systems. It also scans all messages originating off-site for virus-infected attachments. The IMAP servers scan every message they receive, including those originating on-site.

The Fermilab mail gateway server doesn't store mail; you will need to set your forward on the gateway server to point to an account on an IMAP/POP server or on a UNIX system (either at Fermilab, your home institution, or an ISP) on which you read your email. (We recommend using one of the IMAP servers; see below.) Then, you should set the forward on all other accounts (on which you don't read mail) to your primary address, e.g., username@fnal.gov. If/when you decide to read your mail on a different machine, you need only set up your new machine to read mail and then set your mail forward on the gateway server to this new machine. (For more detailed information, see Setting Email Forwards .)

IMAP Server Accounts

Any Fermilab employee, scientific user, or contractor is eligible for an email account on one of the Fermilab IMAP servers. We encourage all users to use IMAP. Use the Request Form for Computing Username and Primary Accounts to apply for an IMAP account.

New POP email accounts are no longer being created; existing ones may still be used, but we encourage POP users to change to IMAP.

Windows Accounts

Fermilab's Windows domain is named FERMI.WIN.FNAL.GOV; note the upper case. Desktops, servers and other computing resources that belong to it require authentication to the domain prior to use, Kerberos being the default protocol used. You don't get a domain "account" per se, once you obtain a Kerberos principal using Request Form for Computing Username and Primary Accounts.you will be able to authenticate to this domain and thereby access some subset of the servers and resources, as configured for your group. The available resources include:

• File storage, backup, virus-checking and disaster recovery
• Computing Division supported softwares and software patches
• Email services
• Wide variety of printers
• VPN support for remote access

FNALU Accounts

In order to get an account on the central UNIX system FNALU, you will need approval from your supervisor or a scientific spokesman when you fill up the Request Form for Computing Username and Primary Accounts.

FNALU is a managed resource. If you need dedicated space for your project for a group of people on AFS, please fill up Request Form for AFS Space , small projects may qualify under "Non-Grant Usage " guidelines. If you are part of a group or experiment that already has an approved grant, you may be covered by that grant, so check with your group/experiment first.