Helix Systems

	Helix Systems High-Performance Computing at the NIH	Search:

Configure Unix/Linux/MacOS for the NIH.GOV domain

These instructions will help you configure your system for GSSAPI/Kerberos login to Helix/Biowulf for most system configurations (unless GSSAPI is intentionally disabled or not built into your SSH client). We are not aware of any Linux distributions that do not support GSSAPI and all releases of MacOS prior to 10.4 will work with these instructions.

MacOS

These are summary instructions. See the MIT kerbeos pages on MacOS for more detail if you're having trouble with these simplified docs.

Make sure your MacOS system is using the NIH internal DNS servers:

Finder -> System Preferences -> Network
Under DNS server: "156.40.70.10, 156.40.74.10" (or whatever addresses your local administrator wants to use. These must be the addresses of Windows NIH.GOV DDNS servers)

Great! Now we need to update or create a Kerberos configuration:

Desktop -> Hard drive -> Library -> Preferences
If a file named "edu.mit.Kerberos" does not already exist, create a new file with TextEdit and save it there.

The contents of this file (/Library/Preferences/edu.mit.Kerberos) should look like this:

[libdefaults]
        default_realm = NIH.GOV
        noaddresses = TRUE

[realms]
        NIH.GOV = {
                kdc = nihdc.nih.gov
                kdc = nihdc02.nih.gov
                kdc = nihdc03.nih.gov
                admin_server = nihdc.nih.gov
        }

[domain_realm]
        .nih.gov = NIH.GOV
        nih.gov = NIH.GOV

You are done. Try logging into Helix using SSH. Open a terminal: Finder -> Go -> Utilities -> Terminal:

mymac: ~macuser$ kinit nihloginuser
Password for nihloginuser@NIH.GOV:
mymac: ~macuser$ ssh nihloginuser@helix.nih.gov
...
[nihloginuser@helix ~]$

Note that you only have to run "kinit" once per login session or 24-hours, whichever comes first. Your (encrypted) credentials are stored for later use.

Unix/Linux

These are simplified instructions. For release or distribution-specific instructions you will have to consult the documentation provided by your Unix vendor or Linux distribution.

Make sure your /etc/resolv.conf is set to use the NIH internal DNS servers:

search nih.gov
nameserver 156.40.70.10
nameserver 156.40.74.10

If you use a Linux distribution that uses the NetworkManager service or some other network control service, you may need to use the distribution-provided network configuration tool to configure DNS.

Then configure your /etc/krb5.conf file to look like this:

[logging]
 default = FILE:/var/log/krb5libs.log
 kdc = FILE:/var/log/krb5kdc.log
 admin_server = FILE:/var/log/kadmind.log

[libdefaults]
 default_realm = NIH.GOV
 dns_lookup_realm = false
 dns_lookup_kdc = false
 ticket_lifetime = 24h
 renew_lifetime = 7d
 forwardable = true

[realms]
 NIH.GOV = {
  kdc = nihdc.nih.gov
  kdc = nihdc02.nih.gov
  kdc = nihdc03.nih.gov
  admin_server = nihdc.nih.gov
 }

[domain_realm]
 .nih.gov = NIH.GOV
 nih.gov = NIH.GOV

That's it! Now log into Helix (or any other Unix/Linux NIH domain member) with the following:

[user@myhost ~]$ kinit nihloginuser
Password for nihloginuser@NIH.GOV:
[user@myhost ~]$ ssh -K nihloginuser@helix.nih.gov
...
[nihloginuser@helix ~]$

Note that you only have to run "kinit" once per login session or 24-hours, whichever comes first. Your (encrypted) credentials are stored for later use.