To access USQCD computing resources at Fermilab users require the following three items:<\/p>\n\n\n\n
Visitor ID and Kerberos account<\/span><\/p>\n\n\n\n Submit an online application form for a Affiliate ID and Kerberos account using this link<\/a>. Follow the instructions for applying for a computing account as a Fermilab affiliate. You do not need to apply for on-site access or a physical id badge. You will need to enter the following information: <\/p>\n\n\n\n Unix accounts on the LQCD cluster machines<\/span><\/p>\n\n\n\n After you have received an email with information about your Kerberos account, We need an email from the PI of the project verifying your affiliation to the project. We ask that the PI send an email to hpc-admin@fnal.gov<\/a> to request the user be added to the project on the LQCD cluster machines. In the email, mention the Kerberos account name, the email address to be added to our lqcd-userss@fnal.gov announcements list, and identify your project name. Type A projects are listed in the allocations table<\/a>. <\/p>\n\n\n\n In order to add you to an existing project allocation, we need an email from the project’s PI or POC asking that we add your account and associate it with the project. We ask that the user who is requesting the account contact the PI or POC to have them send an email to hpc-admin@fnal.gov<\/a>. This email should include the user’s Kerberos principal and the project name. We can not set up an account unless the request comes from or through the project PI or POC.<\/p>\n\n\n\n The current list of allocated projects<\/a> lists the PI or POC contact person.<\/p>\n\n\n\n Once we have that request, we will create a Request ticket to track the work. Our goal is to have the new account ready within two business days.<\/p>\n\n\n\n You are now all set to start using the Fermilab LQCD clusters. If you get stuck at any of the above steps please send us an email to lqcd-admin@fnal.gov<\/a> with a detailed explanation of the issue you are facing.<\/p>\n\n\n\n Your Visitor ID and computer privileges expire at different intervals depending on your classification (employee, contractor, on-site or off-site visitor). Please note that even when your ID or computer privileges expire we do not erase any user data stored on the Fermilab LQCD clusters<\/span>.<\/p>\n\n\n\n If you need to look up your Vistor ID number then use the Fermilab telephone directory<\/a> search pages to look for your name. If an entry exists for you and that entry lists a Visitor ID number, record that number for filling out the account renewal application.<\/p>\n\n\n\n Details regarding the account renewal process for a visitor<\/span> can be found at this link<\/a>.<\/p>\n\n\n\n If you still need further assistance please email us at hpc-admin@fnal.gov<\/a><\/p>\n\n\n\n A month before your Kerberos password is set to expire you will receive a reminder email from the Fermilab Service Desk requesting you to change your password as soon as you can. Please do not ignore this reminder<\/span> email and act upon it as soon as possible. You will lose remote login privileges to the USQCD cluster resources at Fermilab once your Kerberos password has expired.<\/p>\n\n\n\n Follow the instructions for changing your Kerberos password as listed in this knowledge base article<\/a>.<\/p>\n\n\n\n If your password expires before you change it, you can still change it as long as you remember what it is. If you don’t remember it, please call the Service Desk at (630) 840-2345 to have it reset.<\/p>\n\n\n\n Many UNIX systems already have Kerberos installed. Use On RedHat Linux systems (MAC read this<\/a>), you will need to install the following RPM’s (versions will vary):<\/p>\n\n\n\n If Kerberos software is already installed on your system, you will need to modify the configuration file so that your machine knows how to contact the Fermilab key authentication servers. Copy your OS-specific krb5.conf file in \/etc. If you are already using Kerberos to access another site, for example, NCSA, you will need to modify your existing In the [realms]<\/strong> section, add<\/p>\n\n\n\n In the [domain_realm<\/strong>] section, add<\/p>\n\n\n\n A user must have a valid Kerberos ticket before they can log in to a Fermilab machine. Here is a sample session showing a typical Kerberos dialog to obtain a Kerberos ticket. johndoe@FNAL.GOV is the Kerberos principal. You must use Secure SHell (SSH) that supports Kerberos to remote login.<\/p>\n\n\n\n Please note:<\/p>\n\n\n\n To access USQCD computing resources at Fermilab users require the following three items: Visitor ID and Kerberos account Submit an online application form for a Affiliate ID and Kerberos account using this link. Follow the instructions for applying for a computing account as a Fermilab affiliate. You do not need to apply for on-site access or… More »<\/a><\/p>\n","protected":false},"author":16,"featured_media":0,"parent":0,"menu_order":0,"comment_status":"closed","ping_status":"closed","template":"","meta":{"footnotes":""},"class_list":["post-121","page","type-page","status-publish","hentry"],"_links":{"self":[{"href":"https:\/\/computing.fnal.gov\/lqcd\/wp-json\/wp\/v2\/pages\/121","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/computing.fnal.gov\/lqcd\/wp-json\/wp\/v2\/pages"}],"about":[{"href":"https:\/\/computing.fnal.gov\/lqcd\/wp-json\/wp\/v2\/types\/page"}],"author":[{"embeddable":true,"href":"https:\/\/computing.fnal.gov\/lqcd\/wp-json\/wp\/v2\/users\/16"}],"replies":[{"embeddable":true,"href":"https:\/\/computing.fnal.gov\/lqcd\/wp-json\/wp\/v2\/comments?post=121"}],"version-history":[{"count":36,"href":"https:\/\/computing.fnal.gov\/lqcd\/wp-json\/wp\/v2\/pages\/121\/revisions"}],"predecessor-version":[{"id":7648,"href":"https:\/\/computing.fnal.gov\/lqcd\/wp-json\/wp\/v2\/pages\/121\/revisions\/7648"}],"wp:attachment":[{"href":"https:\/\/computing.fnal.gov\/lqcd\/wp-json\/wp\/v2\/media?parent=121"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}\n
Existing Allocation \/ Projects<\/h5>\n\n\n\n
Renewing your Visitor ID and Kerberos account<\/h3>\n\n\n\n
Changing your Kerberos account password<\/h3>\n\n\n\n
Kerberos software installation<\/h3>\n\n\n\n
which kinit <\/code>to see whether this software is already in your path. If not, check if \/usr\/krb5<\/code> or \/usr\/kerberos<\/code> directories exist on your workstation – if so, add \/usr\/kerberos\/bin<\/code> (or the equivalent for krb5) to the front<\/strong> of your path. Generally, if you have \/usr\/bin\/kinit <\/code>installed, you should use that.<\/p>\n\n\n\nkrb5-libs\nkrb5-workstation\npam_krb5\n<\/pre>\n\n\n\n
\/etc\/krb5.conf<\/code> file as follows:<\/p>\n\n\n\nFNAL.GOV = {\n kdc = krb-fnal-1.fnal.gov:88\n kdc = krb-fnal-2.fnal.gov:88\n kdc = krb-fnal-3.fnal.gov:88\n kdc = krb-fnal-4.fnal.gov:88\n kdc = krb-fnal-5.fnal.gov:88\n kdc = krb-fnal-6.fnal.gov:8\n admin_server = krb-fnal-admin.fnal.gov\n master_kdc = krb-fnal-admin.fnal.gov:88\n default_domain = fnal.gov\n}\n\nWIN.FNAL.GOV = {\n kdc = littlebird.win.fnal.gov:88\n kdc = bigbird.win.fnal.gov:88\n default_domain = fnal.gov\n} <\/pre>\n\n\n\n .fnal.gov = FNAL.GOV\n .dhcp.fnal.gov = FNAL.GOV<\/pre>\n\n\n\n
login.somemachine:~$ kinit -r 7d johndoe@FNAL.GOV
Password for johndoe@FNAL.GOV:
somemachine:~$ ssh lq.fnal.gov
NOTICE TO USERS
This is a Federal computer (and\/or it is directly connected to a Fermilab local network system) that is the property of the UnitedStates Government. It is for . . . .
<---snip--->
lq:~$<\/pre>\n\n\n\n\n
kinit<\/code> over a network connection (e.g. public wireless access point), since this can expose your kerberos password.<\/li>\n\n\n\nkinit -R<\/code>. Tickets can be renewed for up to 7 days if you request a ticket using kinit -r 7d<\/code>. The maximum renewable period is 7 days.<\/li>\n\n\n\nklist<\/code> to check whether you hold a valid ticket.<\/li>\n\n\n\nkinit<\/code> or use kinit --help<\/code> to see which switch is supported.<\/li>\n<\/ul>\n","protected":false},"excerpt":{"rendered":"