[OpenAFS] account deletions

Brian Davidson bdavids1@gmu.edu
Tue, 13 Sep 2005 16:06:21 -0400

On Sep 13, 2005, at 3:21 PM, Jeffrey Hutzelman wrote:
> (1) Don't reuse PTS ID's.  But you figured that out.

I really hope to win that battle.

> (2) Whenever possible, ACL's should contain groups, not users.  When a
>    PTS user is deleted, its group memberships automatically go away.

All centrally managed ACLs are done that way, except for the user's 
home volume.  For areas where users can set ACLs, who knows what's been 

I had suspected that PTS group memberships went away.  My testing 
confirmed it, and now you've re-confirmed it.  Thanks!

> (3) 'fs cleanacl' will "clean" the ACL of a directory, removing entries
>    for ID's which do not currently exist in PTS.  So, you could do
>    something like this (assuming GNU find and xargs):
> find /afs/gmu.edu -noleaf -type d -print0 | xargs -0 fs cleanacl -path

I was thinking something along those lines.  I guess it really doesn't 
matter how many accounts I'm deleting.  I'll just save that till 
they're all deleted and take one run through the filesystem.

Out of curiosity, are there any AFS aware find commands that will 
restrict themselves to traversing a single specified cell?  It's 
possible someone could mount a volume from another cell somewhere in 
our filesystem.  It would suck to spend a bunch of time trying to fs 
cleanacl someone else's cell, especially when it would fail.  This is 
mostly a hypothetical question, but it has been one of those weeks...

Thanks for the advice!