DØ Computer Accounts and Access

Overview of Authentication, Access, and Accounts

• Authentication
• Accounts Overview
• Access
• Access to D0 Private Web pages
• Kerberos Overview
• DHCP Registration

Authentication

There are basically two different authentication domains or realms at Fermilab plus several auxiliary "accounts". ALL Unix access is via the FNAL.GOV kerberos realm, your kerberos password and cryptocard. All Windows access is via the Fermi Windows domain. Only Win2k and WinXP support this now.

Among the auxiliary accounts which are authenticated independently are the DØ Web Access, the <user>@FNAL.GOV mail forwarder, the Fermilab IMAP mail servers and others.

Kerberos and Windows authentications and the various auxiliary accounts are totally separate but are required to have the same username at Fermilab.

In addition to the authentication, you also need accounts or resources allocated on the relevant machines. The common ones are listed below.

Accounts Overview

There are four separate computer "accounts" that people may need at DØ, plus possibly many others at Fermilab, including two that are very common for DØ people:

• DØ CAS (Central Analysis System), dØminoXX (the central login pool), CAB (the Linux Central Analysis Backend compute servers) plus several other machines, including the remaining RunI machine.
• ClueDØ, The Linux desktops. Your institute must have provided machines and resources to the cluster before you can obtain an account
• DØ Windows, the windows (Win2k and WinXP now) desktops plus the disk and printer resources hosted on DØ Windows machines. You must be added to the Dzero Organizational Unit.
• DØWebAccess, not a real account but has a username and password like an account. It gives you read access to the various DØ Private web pages.

The most common non-DØ accounts people need are

• the Fermilab Mail Gateway (<username>@FNAL.GOV mail address). See Usage for recommended usage of this address. You will get this one whenever you get any account at Fermilab.
• IMAP mail accounts

These last two are not described here, but really are quite useful. See Fermilab Email in particular the "Servers" link, for more information on these and the other Fermilab email services.

The Account Request form will allow you to get all the accounts above.

Online System. You need to contact the D0 Online Administrators to get an account on the Online system. You cannot use the New Accounts pages to obtain an account on the Online System.

Access

Access to all Fermilab Unix Computer systems is now controlled centrally by the Kerberos authentication protocol. You have one kerberos "principal" and its associated password and cryptocard (supplies one time use passwords). Once you have authenticated via kerberos, if you have an account on a Unix system, you will be allowed to login. None of the Unix systems have their own passwords any longer.

This means that you must have a valid kerberos password, even if you never use it because you always login via cryptocard (one time password).

• If you have never had one, go to Account Request to obtain a new account.
• If you have had access via Kerberos, there are two ways (that I know of) that the principal and/or password can become disabled:
  1. your Fermilab ID authorization has expired. This will disable your kerberos principal. The error message will be that your "principal has been disabled". To fix that you need to obtain a new authorization (or a new Fermilab ID). See the instructions on this page under the Revalidating Fermilab ID link.
  2. your password has expired. The error message will be that your "Password has expired while getting initial credentials". This will occur 30 days after having received a new one and 400 days after having changed it. To fix that follow the instructions on this page under the Reset Password link, then "see Changing Kerberos Passwords". I advise people to always change it on their birthday (anniversary of their birth) to prevent this from being necessary.

Access to Windows machines is now also controlled centrally by the MicroSoft authentication systems. All windows machines are no in the "Fermi\" windows domain. The Dzero and FNAL domains no longer exist. See d0server1.fnal.gov for more information.

Access to D0 Private Web pages

DØWebAccess is not a real account but access to the various D0 Private web pages requires a username and password like an account.

Change your d0web password at: http://www-d0.fnal.gov/cgi-bin/webpasswd.pl

NOTE: this password can not be the same as any other password you use at Fermilab. It is transmitted in the clear whenever you use it. So it is not at all secure and should be changed frequently.

To get a new password, you need to send email to d0web-support@fnal.gov.

Kerberos Overview

Introduction

The lab has chosen to implement strong authentication via the Kerberos software. A Computing Division team has provided Kerberos as a ups/upd product, and its installation on lab central systems and Linux desktops is smooth and easy. PC users can get WRQ for easy access. It allows Unix access without the need to use their Cryptocard each time they login.

Before You Start

You must have a valid Fermilab Users' ID in order to get or keep any computer accounts at Fermilab. Soon, you will have to have a Kerberos principal (labwide account) in order to access any Fermilab computer. This is already true of DØ computers. If you will never be logged on to any DØ machine then you do NOT need anything.

If you already have a DØ CAS (Central Anaylsis Systems) account, then this is the page for you. If you do not have an account on the DØ CAS (Central Anaylsis Systems) go to New Accounts and fill out the forms there. All the forms you need to obtain or re-verify a Fermilab Visitor's ID, to obtain a Kerberos Principal/Cryptocard and all D0 computer accounts are available there.

Important Links

• User ID Verification Form - for users who need to apply for a Fermilab Visitor's ID or renew an expired ID and who CANNOT come to Fermilab to do it in person.

• D0-Specific WRQ instructions

• WRQ request form

• Professor's Guide to Kerberos - this is a walkthrough of all the things you need to do to get and use Kerberos principals and/or cryptocards.

• The Strong Authentication at Fermilab Manual - the official, long guide to Kerberos at Fermilab, including instructions on installation and use of the various pieces, including the CryptoCard.

DHCP Registration

Registration of network devices is now required at Fermilab before any network addresses are issued. When an unregistered machine tries to obtain a DHCP lease, it will get a short-lived, restricted, network connection.. Trying to access any web page or telnet session will bring up the registration page. The registration page asks for some basic contact information (name, email, institution, etc) and should take only about a minute to fill out. While the user is filling out the information, a basic vulnerability scan will be performed looking for current urgent problems. If the information is provided and the system passes the scan, a DHCP lease good for the rest of that day will be provided. If there are problems, the user will be directed to appropriate help.

If the machine will be at FNAL for longer than a few days, the machine must also be registered in the permanent database, as temporary registration will only be allowed for a limited period. Permanent registration should become effective within one or two working days.

DHCP Registration Requirements provides more information about DHCP registration

D0 users can use this simplified IP Address Request form.

DØ Accounts
Security, Privacy, Legal
Last modified: April 21, 2005 03:18:27 PM CDT