[OpenAFS] Best practice for cleaning up PTS groups after users are deleted
Thu, 26 Jul 2012 15:10:45 -0700
Jeffrey Altman <email@example.com> writes:
> A security best practice is to never delete users and groups because you
> don't know what ACLs they might be listed on. The same is true for
> Kerberos principal names. You can disable the issuance of tickets but
> do not remove them from the database.
I prefer deleting them and then running fs cleanacl across the entire cell
on a time period faster than reuse of the same PTS ID.
Russ Allbery (firstname.lastname@example.org) <http://www.eyrie.org/~eagle/>