To access USQCD computing resources at Fermilab users require the following three items:
- Visitor ID
- Kerberos account
- Unix accounts on the LQCD cluster machines
Visitor ID and Kerberos account
Submit an online application form for a Affiliate ID and Kerberos account using this link. Follow the instructions for applying for a computing account as a Fermilab affiliate. You do not need to apply for on-site access or a physical id badge. You will need to enter the following information:
- For your affiliation select Lattice QCD
- Fermilab contact name list Lydia Brynmoor (primary Site Manager)
- Fermilab contact phone list x6783 (Ken Herner, secondary Site Manager)
- Fermilab contact email list brynmool@fnal.gov (primary Site Manager)
Unix accounts on the LQCD cluster machines
After you have received an email with information about your Kerberos account, We need an email from the PI of the project verifying your affiliation to the project. We ask that the PI send an email to hpc-admin@fnal.gov to request the user be added to the project on the LQCD cluster machines. In the email, mention the Kerberos account name, the email address to be added to our lqcd-userss@fnal.gov announcements list, and identify your project name. Type A projects are listed in the allocations table.
Existing Allocation / Projects
In order to add you to an existing project allocation, we need an email from the project’s PI or POC asking that we add your account and associate it with the project. We ask that the user who is requesting the account contact the PI or POC to have them send an email to hpc-admin@fnal.gov. This email should include the user’s Kerberos principal and the project name. We can not set up an account unless the request comes from or through the project PI or POC.
The current list of allocated projects lists the PI or POC contact person.
Once we have that request, we will create a Request ticket to track the work. Our goal is to have the new account ready within two business days.
You are now all set to start using the Fermilab LQCD clusters. If you get stuck at any of the above steps please send us an email to lqcd-admin@fnal.gov with a detailed explanation of the issue you are facing.
Renewing your Visitor ID and Kerberos account
Your Visitor ID and computer privileges expire at different intervals depending on your classification (employee, contractor, on-site or off-site visitor). Please note that even when your ID or computer privileges expire we do not erase any user data stored on the Fermilab LQCD clusters.
If you need to look up your Vistor ID number then use the Fermilab telephone directory search pages to look for your name. If an entry exists for you and that entry lists a Visitor ID number, record that number for filling out the account renewal application.
Details regarding the account renewal process for a visitor can be found at this link.
If you still need further assistance please email us at hpc-admin@fnal.gov
Changing your Kerberos account password
A month before your Kerberos password is set to expire you will receive a reminder email from the Fermilab Service Desk requesting you to change your password as soon as you can. Please do not ignore this reminder email and act upon it as soon as possible. You will lose remote login privileges to the USQCD cluster resources at Fermilab once your Kerberos password has expired.
Follow the instructions for changing your Kerberos password as listed in this knowledge base article.
If your password expires before you change it, you can still change it as long as you remember what it is. If you don’t remember it, please call the Service Desk at (630) 840-2345 to have it reset.
Kerberos software installation
Many UNIX systems already have Kerberos installed. Use which kinit
to see whether this software is already in your path. If not, check if /usr/krb5
or /usr/kerberos
directories exist on your workstation – if so, add /usr/kerberos/bin
(or the equivalent for krb5) to the front of your path. Generally, if you have /usr/bin/kinit
installed, you should use that.
On RedHat Linux systems (MAC read this), you will need to install the following RPM’s (versions will vary):
krb5-libs krb5-workstation pam_krb5
If Kerberos software is already installed on your system, you will need to modify the configuration file so that your machine knows how to contact the Fermilab key authentication servers. Copy your OS-specific krb5.conf file in /etc. If you are already using Kerberos to access another site, for example, NCSA, you will need to modify your existing /etc/krb5.conf
file as follows:
In the [realms] section, add
FNAL.GOV = { kdc = krb-fnal-1.fnal.gov:88 kdc = krb-fnal-2.fnal.gov:88 kdc = krb-fnal-3.fnal.gov:88 kdc = krb-fnal-4.fnal.gov:88 kdc = krb-fnal-5.fnal.gov:88 kdc = krb-fnal-6.fnal.gov:8 admin_server = krb-fnal-admin.fnal.gov master_kdc = krb-fnal-admin.fnal.gov:88 default_domain = fnal.gov } WIN.FNAL.GOV = { kdc = littlebird.win.fnal.gov:88 kdc = bigbird.win.fnal.gov:88 default_domain = fnal.gov }
In the [domain_realm] section, add
.fnal.gov = FNAL.GOV .dhcp.fnal.gov = FNAL.GOV
A user must have a valid Kerberos ticket before they can log in to a Fermilab machine. Here is a sample session showing a typical Kerberos dialog to obtain a Kerberos ticket. johndoe@FNAL.GOV is the Kerberos principal. You must use Secure SHell (SSH) that supports Kerberos to remote login.
login.somemachine:~$ kinit -r 7d johndoe@FNAL.GOV
Password for johndoe@FNAL.GOV:
somemachine:~$ ssh lq.fnal.gov
NOTICE TO USERS
This is a Federal computer (and/or it is directly connected to a Fermilab local network system) that is the property of the UnitedStates Government. It is for . . . .
<---snip--->
lq:~$
Please note:
- You should only kinit on your local machine, from its console. Do not execute
kinit
over a network connection (e.g. public wireless access point), since this can expose your kerberos password. - You will probably want to request renewable tickets since tickets by default expire 24 hours after they are issued unless renewed with
kinit -R
. Tickets can be renewed for up to 7 days if you request a ticket usingkinit -r 7d
. The maximum renewable period is 7 days. - Use
klist
to check whether you hold a valid ticket. - If you are connecting from home behind a firewall which uses NAT (Network Address Translation), you’ll need to use address-less tickets. Most versions of kerberos will give you address-less tickets if you use the -n switch. Other versions of kerberos may use the -A switch. Check your man page for
kinit
or usekinit --help
to see which switch is supported.