[OpenAFS] Best practice for cleaning up PTS groups after users are deleted

Russ Allbery rra@stanford.edu
Thu, 26 Jul 2012 15:10:45 -0700


Jeffrey Altman <jaltman@secure-endpoints.com> writes:

> A security best practice is to never delete users and groups because you
> don't know what ACLs they might be listed on.  The same is true for
> Kerberos principal names.  You can disable the issuance of tickets but
> do not remove them from the database.

I prefer deleting them and then running fs cleanacl across the entire cell
on a time period faster than reuse of the same PTS ID.

-- 
Russ Allbery (rra@stanford.edu)             <http://www.eyrie.org/~eagle/>