[OpenAFS] Best practice for cleaning up PTS groups after users
Thu, 26 Jul 2012 18:30:20 -0400
On 07/26/2012 06:10 PM, Russ Allbery wrote:
> Jeffrey Altman <firstname.lastname@example.org> writes:
>> A security best practice is to never delete users and groups because you
>> don't know what ACLs they might be listed on. The same is true for
>> Kerberos principal names. You can disable the issuance of tickets but
>> do not remove them from the database.
> I prefer deleting them and then running fs cleanacl across the entire cell
> on a time period faster than reuse of the same PTS ID.
We delete users and run fs cleanacl. I'm trying to figure out how to
properly clean up the groups. What criteria do other sites use for
removing groups. I know about orphaned gruops, but I'm looking for good
advice about self-owning groups and groups owned by other groups.