How to log into cmsuaf from Wisconsin HEP computers

The directions from USCMS are here: http://uscms.org/SoftwareComputing/UserComputing/ConnectUAF.html. However, you need to follow additional directions.

The relevant issues with logging in

• There are three programs you will want to run: kinit to get permission to login, klist to check those permissions, and ssh to actually connect. However, on the hep.wisc.edu computers, the default versions of kinit and ssh are not the ones that work, and the "klist" command doesn't exist. Therefore, wherever the webpage says "kinit", "klist", or "ssh", you need to insert the following commands:

  kinit --> /usr/kerberos/bin/kinit
  klist --> klist-krb5
  ssh   --> ssh-krb5
  

• In addition, due to something with the Scientific Linux 3.0.4 operating system that the hep.wisc.edu computers use, you can't actually log into cmsuaf.fnal.gov or cmsuafng.fnal.gov as such; you will have to log into one of the direct access nodes listed on the above USCMS webpage (the nodes are cmswn0xx.fnal.gov where xx is 51 through 55). Now it is possible to just login to cmslpc.fnal.gov.

Recipe for actually logging in

1. Get your kerberos ticket with the kinit command. The -A means it will be addressless, and the -f means it will be forwardable. If your Fermilab username ("kerberos principal") is different from your hep.wisc.edu username, you'll need to put that in the command, too. You might also need to append @FNAL.GOV to the end of your username, although I've found I don't have to.

   $ /usr/kerberos/bin/kinit -A -f [fnal_username]
   

   Enter your FNAL kerberos password at the prompt.
2. Now you want to make sure you got a ticket and that it's addressless. The -a lists all the addresses (there shouldn't be any), and the -f lists all the flags.

   $ klist-krb5 -a -f
   

   Depending on whether you've already tried logging in, there will be one or more entries in the list. Each should have a Flags: field and an Addresses: field.
   • The Flags: field should say FIA if it's the first entry, or FA if it's not. The F means "forwardable", the I means "initial", and the A means "preAuthenticated". (You can get this information by googling the klist man page. Although the hep.wisc.edu computers don't recognize "klist", they have a klist man page -- which, however, does NOT contain the correct information!)
   • The Addresses: field should say "(none)".
3. Connect to a direct access node with ssh-krb5. Remember, the direct access nodes are cmswn0xx.fnal.gov where xx is 51 through 55. If your Fermilab username is different from your hep.wisc.edu username, you will need to use either the -l option or put your username and "@" in front of the computer you're logging into. Examples:

   $ ssh-krb5 cmslpc.fnal.gov
   

   $ ssh-krb5 -l joeschmoe cmslpc.fnal.gov
   

   $ ssh-krb5 joeschmoe@cmslpc.fnal.gov
   

   This will log you in. If after the welcome message you see a line like

   /usr/X11R6/bin/xauth:  timeout in locking authority file 
   /afs/fnal/files/home/room2/jleonard/.Xauthority
   

   this means that you don't have the correct permissions, and you won't be able to write to your home directory. (See the USCMS FAQ page, http://www.uscms.org/SoftwareComputing/UserComputing/FAQ.html.)

This is the process that I have found to work. Let me know if you think something's wrong. The USCMS page above ( http://uscms.org/SoftwareComputing/UserComputing/ConnectUAF.html) also has a lot of information. A recent e-mail from the USCMS computing people said they wanted to phase out the direct access nodes, but later I got confirmation that they'd keep them around for the people like us who can't log in any other way. We can now login using the head nodes.