[OpenAFS] Best practice for cleaning up PTS groups after users are deleted

Jason Edgecombe jason@rampaginggeek.com
Thu, 26 Jul 2012 18:30:20 -0400

On 07/26/2012 06:10 PM, Russ Allbery wrote:
> Jeffrey Altman <jaltman@secure-endpoints.com> writes:
>> A security best practice is to never delete users and groups because you
>> don't know what ACLs they might be listed on.  The same is true for
>> Kerberos principal names.  You can disable the issuance of tickets but
>> do not remove them from the database.
> I prefer deleting them and then running fs cleanacl across the entire cell
> on a time period faster than reuse of the same PTS ID.
We delete users and run fs cleanacl. I'm trying to figure out how to 
properly clean up the groups. What criteria do other sites use for 
removing groups. I know about orphaned gruops, but I'm looking for good 
advice about self-owning groups and groups owned by other groups.