DØ Computer Accounts and Access

Accounts & Access DØ Account Request Resetting Passwords Obtain or Renew
Visitor's ID and Kerberos Account

Overview of Authentication, Access, and Accounts

Before You Start

This page is used to obtain D0 specific computer accounts. Before that can happen, you must have a Fermilab ID and be granted access to Fermilab resources. You need both before you can begin to do anything. How you go about gaining access depends on your situation. See the Getting Started checklist below,

Note the Fermilab ID is not the same as the physical ID badge. You'll need the latter when or if you come to Fermilab and it can only be obtained in person. You do not need a valid ID badge to use Fermilab computers. But you do need a valid id authorization. You need that same authorization to obtain an ID badge. Also note that the expiration dates of the two can differ. You can obtain an ID number either in pserson from the Users' Office in Wilson Hall, or remotely by filling out a form on the web. The process is explained at Obtain or Renew Visitor's ID and Kerberos Account

Quick Checklist - Getting Started

Authentication

There are three principal authentication domains or realms at Fermilab plus several auxiliary "accounts". Most of the *Fermilab utility accounts (email, time cards, service desk requests ... a growing list) are accessed via a "services" username/password. ALL Unix access is via the FNAL.GOV kerberos realm, your kerberos password and cryptocard. All Windows access is via the Fermi Windows domain.

There are a few other auxiliary accounts which are authenticated independently. These inclued the DØ Web Access, the <user>@FNAL.GOV mail forwarder and others.

Kerberos and Windows authentications and the various auxiliary accounts are totally separate but are required to have the same username at Fermilab.

In addition to the authentication, you also need accounts or resources allocated on the relevant machines. The common ones are listed below.

Accounts Overview

There are four separate computer "accounts" that people may need at DØ, plus possibly many others at Fermilab, including two that are very common for DØ people:

The most common non-DØ accounts people need are

These last two are not described here, but really are quite useful. See Fermilab Email in particular the "Servers" link, for more information on these and the other Fermilab email services.

The Account Request form will allow you to get ONLY the D0 accounts above. For non-DØ accounts see:
the service desk Getting Services -> Accounts and Passwords

Online System. You must contact Bill Lee or Geoff Savage with your reason for needing an account in order to get an account on the Online system. If you do need an Online account, Bill or Geoff will request an account from helpdesk. You cannot use the New Accounts pages to obtain an account on the Online System.

Access

Access to all Fermilab Unix Computer systems is now controlled centrally by the Kerberos authentication protocol. You have one kerberos "principal" and its associated password and cryptocard (supplies one time use passwords). Once you have authenticated via kerberos, if you have an account on a Unix system, you will be allowed to login. None of the Unix systems have their own passwords any longer.

This means that you must have a valid kerberos password, even if you never use it because you always login via cryptocard (one time password).

Access to Windows machines is now also controlled centrally by the MicroSoft authentication systems. All windows machines are no in the "Fermi\" windows domain. The Dzero and FNAL domains no longer exist. See d0server1.fnal.gov for more information.

Access to D0 Private Web pages

DØWebAccess is not a real account but access to the various D0 Private web pages requires a username and password like an account.

Change your d0web password at: http://www-d0.fnal.gov/cgi-bin/webpasswd.pl

NOTE: this password can not be the same as any other password you use at Fermilab. It is transmitted in the clear whenever you use it. So it is not at all secure and should be changed frequently.

To get a new password, you need to send email to d0web-support@fnal.gov.

Kerberos Overview

Introduction

The lab has chosen to implement strong authentication via the Kerberos software. A Computing Division team has provided Kerberos as a ups/upd product, and its installation on lab central systems and Linux desktops is smooth and easy. PC users can get WRQ for easy access. It allows Unix access without the need to use their Cryptocard each time they login.

Before You Start

You must have a valid Fermilab Users' ID in order to get or keep any computer accounts at Fermilab. You also must have a valid Kerberos principal (labwide account) in order to access any Fermilab Unix computer, including those at DØ. If you will never be logged on to any DØ machine then you do NOT need anything.

If you already have a DØ CAS (Central Anaylsis Systems) account, then this is the page for you. If you do not have an account on the DØ CAS (Central Anaylsis Systems) go to New Accounts and fill out the forms there. All the forms you need to obtain or re-verify a Fermilab Visitor's ID, to obtain a Kerberos Principal/Cryptocard and all D0 computer accounts are available there.

Important Links

DHCP Registration

Registration of network devices is now required at Fermilab before any network addresses are issued. When an unregistered machine tries to obtain a DHCP lease, it will get a short-lived, restricted, network connection.. Trying to access any web page or telnet session will bring up the registration page. The registration page asks for some basic contact information (name, email, institution, etc) and should take only about a minute to fill out. While the user is filling out the information, a basic vulnerability scan will be performed looking for current urgent problems. If the information is provided and the system passes the scan, a DHCP lease good for the rest of that day will be provided. If there are problems, the user will be directed to appropriate help.

If the machine will be at FNAL for longer than a few days, the machine must also be registered in the permanent database, as temporary registration will only be allowed for a limited period. Permanent registration should become effective within one or two working days.

DHCP Registration Requirements provides more information about DHCP registration

D0 users can use this simplified IP Address Request form.