So I’ve been getting the above error when attempting to use kadmin.local on my OD Master for a while, through 10.3.x and 10.4.x OS X Server.

I had been doing something rather clunky to get around it, which was to destroy any existing Kerberos tickets before ssh’ing into the OD Master, which works fine, but is kind of annoying.

Turns out there is a much easier solution.

Simply generate a ticket for a KDC admin account, and use that for the credentials cache.

localodadmin@odmaster: ~ $ kinit opendirectoryadmin
Please enter the password for opendirectoryadmin@MY.KERB.DOMAIN:
localodadmin@odmaster: ~ $ sudo kadmin.local -c opendirectoryadmin
Authenticating as principal root/admin@MY.KERB.DOMAIN with existing credentials.
kadmin.local:

Much easier…

Apple don’t ship suexec for Apache with OS X or OS X Server, but it’s quite simple to install yourself. Here’s how:

1. Check the version of Apache httpd that you have installed.

httpd -v

In 10.4.3, this will show I have version 1.3.33:

Server version: Apache/1.3.33 (Darwin)
Server built:   Mar 20 2005 15:08:27

2. Grab the source for the corresponding version of Apache httpd and compile it with suexec support, then copy the suexec binary to the expected location. You’ll see in this case I’ve added the sympa install path to the docroot setting, as I’m using this for installing Sympa, which will be covered in a forthcoming post. If you need suexec to work in another docroot, like /Library/WebServer/Documents, then substitute that instead. I don’t think the docroot setting is absolutely required for Sympa, as it gets used via a ScriptAlias, so you probably don’t need to stress about this if you’re using suexec for cgi-bin/fast-cgi scripts.

mkdir -p /usr/local/src
cd /usr/local/src
curl -O http://apache.planetmirror.com.au/dist/httpd/apache_1.3.33.tar.gz
cd apache_1.3.33
./configure \
--enable-suexec \
--suexec-caller=www \
--suexec-docroot=/usr/local/sympa \
--suexec-safepath="/usr/local/bin:/usr/bin:/bin"
make
cp src/support/suexec /usr/sbin/
chmod u+s /usr/sbin/suexec

3. Now restart apache with:

apachectl stop
apachectl start

and check that you see a line like this in your Apache httpd error log, by default /var/log/httpd/error_log

[Tue Nov 22 11:41:03 2005] [notice] suEXEC mechanism enabled (wrapper: /usr/sbin/suexec)

Done! You now have a working suexec.