Fermilab Computing Division
Fermilab Homepage Computing Division Homepage Computing Division Banner

Help for the Request Forms


Remote User (also called Off-Site User)
An off-site Fermilab user is a person affiliated with Fermilab or with one of the experiments in which Fermilab participates, but who is not employed by Fermilab, and whose work is currently and normally conducted off-site, typically at a university or another institution. Offsite users frequently require use of Fermilab computing resources.
Name
Use your "official" name, not your nickname. Make sure that you include a middle initial if there might be someone else with the same first and last name.
E-mail
Include the full address as username@domain. Use your mailserver address, username@fnal.gov, if you have one (and have the forward on it set correctly). If you are applying for your first account at Fermilab, you may use your email address at your institution, home, or (if none other is available) the email address of your supervisor.
Lab Employment Status
Must be entered in order for your ID number to be unique.
  • N - Regular
  • V - Visitor
  • C - Contractor
  • Other (You must explain this in the additional information field in the Submit Request section of the form.)
Employment Period
Most new employees, visitors and contractors are considered "permanent". Summer students and other term employees are considered "temporary". This helps us to know how to set expiration dates on accounts, how much disk space you will need for storing email, and so on.
Fermilab ID
Your Fermilab ID number is a unique identifier for you at Fermilab. It consists of four or five digits followed by N, V, or C, for Employee, Visitor or Contractor, respectively. A Visitor ID number is commonly called a VID. A Fermilab ID number is prerequisite to getting computing privileges and/or an ID badge. An ID number alone does not guarantee physical access to the Fermilab site. (All on-site, and visiting off-site, personnel are required to get Fermilab ID badges; your ID number appears on your badge.)
Phone
Laboratory extension or other phone number where you can be reached. Include the area code for all phone numbers outside of Fermilab.
Division/Section
The name of your division or section. If you have more than one affiliation, enter your primary affiliation. You will find this information on your Fermilab ID under "organization" or "affiliation" (the portion preceeding the "/", e.g., mydiv/mydept) and on the stub of your paycheck (if you are a Fermilab employee). Experimentors employed by institutions other than Fermilab leave this blank.
Department
The department you work for. Again, if you have more than one affiliation, enter your primary affiliation. You can find this information on your Fermilab ID under "organization" or "affiliation" (the portion following the "/", e.g., mydiv/mydept) and on the stub of your paycheck (if you are a Fermilab employee). Experimentors employed by institutions other than Fermilab leave this blank.
Experiment
Your experiment. If you work with more than one experiment, enter your primary experiment. Non-experimenters and Fermilab-employed experimentors leave this blank.
Affiliation
Your university or other affiliation within your experiment. Non-experimenters and Fermilab-employed experimentors leave this blank.
Supervisor/Spokesperson
You must specify your supervisor or spokesperson -- or other person authorized by your experiment or division to approved Computing Division account requests.
Specify that person's Fermilab email address. We use this address to route your request through your supervisor or spokesperson. This is a paperless way to verify approval. (If you are only applying for a Fermilab email account, approval is not required so you may enter compdiv@fnal.gov.)

Request a Computing Username

Username, First Choice
Choose a username as an identifier for yourself. Typically, people choose a username that is as similar as possible to their (real) name or initials. The username you choose will be used for your email address, for your Kerberos principal and for accounts on any computers administered by the Computing Division at Fermilab. For your convenience, we recommend that you use this same username for any other computer accounts you may get at the lab, too.
Please follow these guidelines in choosing your username:
  • Use eight (8) or fewer characters.
  • Use only lowercase letters, and optionally any digits 0 through 9.
  • DO NOT INCLUDE the characters @ ("at" sign), _ (underscore), / (forward slash) or . (period).
You can use the Fermilab Telephone Directory search facility to find out if the username you want is already in use. Or you can specify a second choice.
Username, Second choice
If you are applying for a new username, specify a second choice in case your first choice has already been taken by another user.
Previous Usernames
If you have been issued a Kerberos Principal, don't fill out anything in this section. The username of your principal will be your one and only username. Go to the Form for Reactivating Primary Accounts and/or Kerberos Principal.
If you have been issued accounts on any machines administered by the Computing Division but no principal, please list the username(s) of these items here.

Request Kerberos Principal and/or Related Items

Kerberos Principals and Passwords

In order to access computing resources in a strengthened realm that enforces Kerberos authentication, you need to have a special identifier for the realm, called a Kerberos principal, and an associated Kerberos password. A principal is essentially a realm userid, and the password is used along with an encryption key to verify your identity. At Fermilab we have a realm for UNIX machines (FNAL.GOV) and one for Windows 2000 machines (FERMI.WIN.FNAL.GOV). Whether or not you need both, when you request a principal, you get one for each realm. Similarly, you need a password for each realm. We recommend that you synchronize your passwords for the two realms. You are required to change your initial FNAL.GOV realm password within 30 days of its creation (and once a year thereafter).

bomb for warningIf your principal does not match your login name on a machine, then you need to be aware of the following:

  • You won't be able to log in to that machine through the portal using a CRYPTOCard. The CRYPTOCard login code assumes that the login name and principal match.
  • When connecting over the network (rlogin, rsh, telnet, etc.) you'll always have to give the -l login_name option (or login_name@host:... for rcp), and there will have to be a .k5login file in your home directory that lists your principal.

Recommendations for choosing a Password

In contrast to the principal (which ideally should match your login name on each machine and your email address), your Kerberos password must be unique. That is, in order to avoid exposing your Kerberos password, it must be different from the passwords you use on non-strengthened machines.

A password for the FNAL.GOV strengthened realm is required to contain a minimum of ten characters from at least two of the following five classes: lowercase letters, uppercase letters, numbers, punctuation, and all other characters. Passwords the system considers "bad" will be rejected. For suggestions on coming up with a good password, click here.

important pointYou must change your initial Kerberos password within 30 days of its creation. If it expires, you will not be able to login to strengthened systems and you will also not be able to use your CRYPTOCard.

CRYPTOCards

Virtually all the Kerberized machines in the FNAL.GOV realm are configured to require entry of a single-use password whenever they receive a login request coming from an unKerberized computer over the network. (The password gets transmitted over the network, and it could get intercepted. That's why it must be single-use only.)

How do you get a single-use password that Kerberos will recognize and honor? The FNAL.GOV realm at Fermilab is setup to use CRYPTOCards to provide these single-use passwords. A CRYPTOCard is a calculator-style, battery-powered device used for generating single-use passwords. It gets programmed for use with computers in the the FNAL.GOV realm (UNIX machines only) before it is issued to you.

If you are off-site and there is no one travelling from Fermilab to your site who can hand-deliver your card, contact someone in your experiment to request mailing.

What do I need to request?

There are five separate cases, but more than one may apply to you.

Case 1: If you will be connecting over the network from an on-site Windows machine to Windows 2000 resources in the FERMI.WIN.FNAL.GOV domain:

  • You need a Kerberos principal and password.
  • You may need one of the special principal instances for FERMI.WIN.FNAL.GOV; if you don't know, chances are you don't need one!

Case 2: If you will be connecting over the network from an off-site Windows machine to Windows 2000 resources in the FERMI.WIN.FNAL.GOV domain:

  • You need a Kerberos principal and password.
  • You need to set up the Fermilab VPN (Virtual Private Network) which "effectively" makes you on-site. A VPN is a virtual private network that uses a public network (Internet) infrastructure to connect remote users to an enterprise network via an encrypted tunnel. The VPN tunnel allows a user to have the functionality of a direct dialup connection, but provides the convenience and higher bandwidth from using a local ISP for connectivity. See Installing the VPN Client for Windows for instructions.
  • You may need one of the special principal instances for FERMI.WIN.FNAL.GOV; if you don't know, chances are you don't need one!

Case 3: If you will be connecting over the network from a Windows machine to Kerberized UNIX machines in the FNAL.GOV realm:

  • First, you need a Kerberos principal and password.
  • If you don't want to install Kerberos-aware software on your Windows system, you'll need a CRYPTOCard.
  • If you prefer to avoid using a CRYPTOCard, you'll need Kerberos-aware software installed on your Windows system. The Computing Division supports and recommends the WRQ® Reflection software, but your division or experiment may use something else. Check with your supervisor or your group's PC administrator.

Case 4: If you will be connecting over the network to UNIX machines in the FNAL.GOV realm from a UNIX desktop that doesn't run Kerberos-aware software:

Case 5: If you have a Linux (or other UNIX OS) desktop which you need to Kerberize (To "Kerberize" means to install Kerberos-aware software and configure such that machine knows about the FNAL.GOV realm and is part of it.):

Host and FTP Principals

If you plan to log in to your machine over the network and/or offer services, your machine must allow incoming Kerberos connections (including portal mode connections). In this case, you must get a service principal for the host, and one for FTP if that is an offered service. These service principal names are of the form host/mynode.fnal.gov and ftp/mynode.fnal.gov, or for off-site nodes, something like host/mynode.myuniv.edu and ftp/mynode.myuniv.edu, according to your institution's domain). We also recommend that you get a fixed IP address. If you need host and ftp principals, first register yourself in the database of system administrators. Go to System Administrator Registration to register.

Root Instance of Kerberos Principal

The system administrator of a strengthened machine may require that authorized users obtain a username/root instance of their Kerberos principal in order to access the root account (and/or other sensitive accounts) on the system. The root instance has the properties of disallowing forwardable tickets and having a shorter ticket lifetime. Your system administrator should inform you if you need to obtain one. See section 9.4 Using Root Instance of your Principal.

Request Account(s)

Fermilab Email Address
We recommend that every user have a Fermilab email address of the form username@fnal.gov. You should use this address as your reply address and as your advertised email address. This will cause your email to pass through Fermilab's mail gateway server which acts as a distribution point and gateway for electronic mail to and from other systems on the network. The gateway server facilitates the transfer of messages between dissimilar mail systems. It also removes viruses without otherwise affecting the contents of the messages.
It is not necessary to route a request for this type of account through your supervisor. You may send it directly by entering compdiv@fnal.gov in the "Supervisor/Spokesperson E-mail" area.
Fermilab IMAP Mail Server Account
Takes email from the Fermilab Mail Server and converts it into or IMAP (Internet Message Access Protocol). You will need an account on one of the IMAP servers if you are using a mail client (software) which uses IMAP. IMAP clients for Windows at Fermilab
FNALU Account
FNALU is the central UNIX computing cluster for Fermilab. Its main purpose is to provide general computer services for the experiments as well as for other Fermilab personnel. The cluster consists of several UNIX systems of differing flavors and provides interactive services and batch services. All Fermilab employees, visitors and contractors are eligible for a non-grant usage account on FNALU (with supervisor approval), but not everyone needs one. You can talk to your supervisor about it if you're not sure.
Briefly describe the type of computing you plan to do on FNALU
In order to plan for our future system needs, we need to have some idea of what resources you will be using.
 This page rendered in 0.4177 seconds