Connection problems, ssh, kinit and accounts.

[hschellman]

Problems with connections to Fermilab machines can arise for several different reasons.

• You don't have a DUNE account yet. Have someone check that there is a ~ account for you on dunegpvm's. If not, you need to make certain you've done all the steps at: https://github.com/DUNE/FAQ/issues/5 . In particular, if you can log into Fermilab machines but not DUNE, go to https://fermi.servicenowservices.com/wp/?id=evg_sc_cat_item&sys_id=d361073881218500bea3634b5c987c4c to apply for DUNE specific accounts.
• You can't kinit from your remote machine. See https://computing.fnal.gov/wilsoncluster/kerberos-ssh-troubleshooting/ for some trouble shooting hints.

Before putting in a service desk ticket, download and run this script and provide the output. That saves about 20 back and forth as the experts ask you to check things.

1. Make certain you have kerberos on your machine. OSX has it by default, you may need to install on unix or windows systems

   2. Make certain your krb5.conf is up to date and knows about FERMILAB : https://authentication.fnal.gov/krb5conf/
   3. Maybe you have a NAT which is blocking communication with the FNAL KDC. see the troubleshooting doc above for ideas on how to deal with that
   4. Your are running conda and it has messed with your kerboros config. Here we suggest either a) kinit before you activate conda or b) force conda to cache credentials where you want:

      export KRB5CCNAME=KCM:uid
      kinit -f -V -c $KRB5CCNAME <username>@FNAL.GOV

2. your local username isn't the same as your Fermilab username. I use an environmental for hosts that includes my correct remote username to avoid this common mistake.

3. You can kinit but ssh doesn't work 'ssh -Y @dunegpvm0X.fnal.gov ` doesn't work.

Your ssh config needs some special things included, make certain you have:

Host 131.225.* *.fnal.gov
    ForwardX11 yes
    ForwardX11Trusted yes
    GSSAPIAuthentication yes 
    GSSAPIDelegateCredentials yes

7. Your Kerberos account has expired.
   Error message: kinit: krb5_get_init_creds: Error from KDC: CLIENT EXPIRED You need to renew your Kerberos account password once/year and yours has expired. At this point you likely have to contact the Helpdesk to set a new password.

See https://computing.fnal.gov/wilsoncluster/kerberos-ssh-troubleshooting/ and https://computing.fnal.gov/lqcd/troubleshooting-kerberos-kinit-problems/

for more trouble shooting hints.