home overview news links contact search


News
Scheduled Downtimes
Open Issues

UAF Systems Status:
  CONDOR Status
  Ganglia Status
  Enstore Status
  dCache Status

Get an Account
Introduction
Environment Setup
CMS OO Software
Connecting to the UAF

Disk Space:
  Request Disk Space
  AFS Home Areas
  Disk Usage and Quota Stats
  

Mass Storage
Batch System
CRAB
Data Sets
Data Transfer
HowTos
FAQ
Help

cmssoftware
Grid
project management
organization
calendar

construction

Physics Analysis

 
 
 

How to get access to the cluster:
 Any modern Linux distribution with OpenSSH configured with gssapi and Kerberos configured for the FNAL.GOV realm should be able to connect to the UAF cluster through the load balancer.

 First check if you already have an account on the cluster. To check click here. It is assumed that you already have a Fermilab ID, FNALU account and kerberos principal. If not visit the "Get an Account" section.

Access to the UAF cluster is controlled by a load balancing switch which redirects incoming connections to the least busy node.

Connecting to the UAF from a Linux PC

To connect to the UAF cluster you need to have kerberos and openssh with gss support installed on your system. This is already included in Scientific Linux 4.  In addtion you will need get the krb5.conf file for Fermilab and save it as /etc/krb5.conf .
Edit ~/.ssh/config and add
GSSAPIAuthentication yes
GSSAPIDelegateCredentials yes


To connect to the UAF cluster :

Get an addressless and forwardable kerberos ticket for the FNAL.GOV kerberos realm:

/usr/krb5/bin/kinit -n -f user@FNAL.GOV
or
/usr/kerberos/bin/kinit -A -f user@FNAL.GOV

You will be prompted for your kerberos password in the FNAL.GOV realm.

To verify that you have an addressless and forwardable kerberos ticket:

klist -a -f

Connect to the cluster:

 ssh cmslpc.fnal.gov  
KNOWN ISSUES and WORK AROUNDS


1) To log into the cluster from an SLC machine kinit -A -f user@FNAL.GOV
ssh -2 user@cmslpc.fnal.gov

2) MAC users who have updated their ssh to a version greater than 3.8 will need to use both
    the -X and -Y options on the ssh command line:
     ssh -X -Y cmslpc
    This will enable X11 forwarding.
The versions of ssh that do not work with the load balancer are the ones that do not support gss api or do not handle the redirection correctly and break afs authentication. The ones known not to work correctly are:
  • OpenSSH with gssapi support in SL3 breaks afs authentication
  • WRQ Reflection X ssh client (based on OpenSSH 3.6.2 with gssapi) breaks afs authentication
  • Any Fermi OpenSSH before 3.5p1f12 breaks afs authentication.

  • For these versions the UAF direct access nodes must be used if you would like to access your afs area to edit your public_html directory.

UAF direct access nodes.

Other versions of ssh for Linux or Windows PC's may not work correctly (i.e. AFS authentication error messages at login) with the load balancer. If accessing the UAF through the load balancer produces error messages, you can try accessing the UAF cluster through one of the following direct access nodes:
  • ssh cmslpc11.fnal.gov
  • ssh cmslpc12.fnal.gov
The direct acces UAF nodes are equivalent to other UAF nodes except that they can be accessed directly.

Non-kerberized ssh clients

Any ssh client without kerberos authentication can be used to connect to the UAF cluster. A Cryptocard is used to generate a password in this case.

Connecting to the UAF from a Windows PC.

Connecting to the UAF cluster through the load balancer from a Windows PC is known to work with Kerberized PuTTY. Other terminal programs such as WRQ Relection ssh and openssh for Cygwin only work with the direct access nodes (see above). Directions are given below for establishing a connection to the CMSLPC with Kerberized PuTTY. Directions for installing Cygwin/X or Xming, both free X server for Windows, are also given. These packages are optional since commercial alternatives such as WRQ Reflection and Exceed exist. Also included are directions for using WinSCP and OpenAFS for Windows to access files in your account.

Kerberos and PuTTY:

A patched version of PuTTY which supports Kerberos/gssapi authentication can be found at http://sweb.cz/v_t_m/putty/PuTTY-0.58-GSSAPI-2005-07-24.zip.
Download the zip file to your desktop and unzip it. You will also need to download and install MIT Kerberos for Windows. The Kerberos for Windows installer can be found at
The MIT Kerberos download page.

To get your Kerberos ticket :
Select Start ->All Programs->Kerberos for Windows->Network Identity Manager
Enter your Kerberos principal, password and FNAL.GOV for the realm and click Login.

To connect to the UAF for the first time with PuTTY :
Double click on the PuTTY icon in the directory where you downloaded the putty.exe file.
In the PuTTY configuration window:
select Session and enter cmslpc.fnal.gov in the HostName field
select Connection and enter your username in the Auto-login username field
select Connection->SSH->Tunnels and check “Enable X11 forwarding”
select Connection->SSH and check "2 only" for "Preferred SSH protocol version"
select Session and enter UAF in the Saved Sessions field and click Save
double click on UAF in the Saved Sessions list

To connect to the UAF with PuTTY :
Double click the PuTTY icon.
In the PuTTY configuration window:
select Session and double click on UAF in the Saved Sessions list


Kerberos and SFTP:

A version of WinSCP which supports kerberos authentication for SFTP transfers can be downloaded from Sourceforge.net. Use this program to transfer files to and from the LPC cluster. Because the afs authentication does not work correctly, you can only read from your home directory on afs with WinSCP. However, you can read and write from /uscms/home and /uscms_data/d1 with WinSCP.

To connect to the UAF for the first time with WinSCP :
Click Start ->All Programs->WinSCP->WinSCP or the WinSCP icon on the desktop.
Check the Advanced option checkbox
Select Preferences -> Integration -> and specify the path to PuTTY in External applications
Select SSH -> Authentication and check the boxes for Kerberos 5 authentication
Click Save
Enter cmslpc.fnal.gov in Host Name
Enter your username in User Name
Click Save
Click Login

To connect to the LPC cluster with WinSCP :
Click Start ->All Programs->WinSCP->WinSCP or the WinSCP icon on the desktop.
Select the previously saved session
Click on Login

X servers:

Cygwin/X and Xming are implementations of X11 on the Windows platform. With X11 forwarding enabled in PuTTY and an X server running, programs like Root and emacs can be displayed on the Windows desktop.

To install Cygwin/X follow the download and installation directions from the user's guide.


After installing Cygwin/X copy c:\cygwin\X11R6\bin\startxwin.bat to the desktop. Edit startxwin.bat and remove the line
run xterm -e /usr/bin/bash -l

To start the Xserver double click on startxwin.bat.

OpenAFS:

Files from your afs home area can be accessed through AFS. The OpenAFS client for Windows allows users to access their files in AFS.

The OpenAFS client for Windows can be downloaded from here.

During the installation enter fnal.gov as the AFS cell. After installation is complete you will be required to reboot to activate the OpenAFS client.

After rebooting the OpenAFS client will prompt you to enter your AFS username and password to obtain an AFS ticket. This prompt can be canceled since the AFS ticket can be obtained using aklog.

To get your AFS ticket:
Obtain your Kerberos ticket as described above.
Select Start ->All Programs->HPCMP Kerberos->aklog

To access AFS files:
Select Start ->All Programs->OpenAFS->Authetication or the padlock icon in the system tray.
In the AFS client window select Drive Letters and click on Add.
Enter the path in AFS that you want to access.
Select Start->My Computer and double click on the newly created drive letter.
 
 

Security, Privacy, Legal
Webmaster

Last modified: July 17 , 2007