[OpenAFS] Best practice for cleaning up PTS groups after users
are deleted
Jason Edgecombe
jason@rampaginggeek.com
Thu, 26 Jul 2012 18:30:20 -0400
On 07/26/2012 06:10 PM, Russ Allbery wrote:
> Jeffrey Altman <jaltman@secure-endpoints.com> writes:
>
>> A security best practice is to never delete users and groups because you
>> don't know what ACLs they might be listed on. The same is true for
>> Kerberos principal names. You can disable the issuance of tickets but
>> do not remove them from the database.
> I prefer deleting them and then running fs cleanacl across the entire cell
> on a time period faster than reuse of the same PTS ID.
>
We delete users and run fs cleanacl. I'm trying to figure out how to
properly clean up the groups. What criteria do other sites use for
removing groups. I know about orphaned gruops, but I'm looking for good
advice about self-owning groups and groups owned by other groups.
Thanks,
Jason