[OpenAFS] Best practice for cleaning up PTS groups after users are deleted

Jason Edgecombe jason@rampaginggeek.com
Thu, 26 Jul 2012 18:30:20 -0400


On 07/26/2012 06:10 PM, Russ Allbery wrote:
> Jeffrey Altman <jaltman@secure-endpoints.com> writes:
>
>> A security best practice is to never delete users and groups because you
>> don't know what ACLs they might be listed on.  The same is true for
>> Kerberos principal names.  You can disable the issuance of tickets but
>> do not remove them from the database.
> I prefer deleting them and then running fs cleanacl across the entire cell
> on a time period faster than reuse of the same PTS ID.
>
We delete users and run fs cleanacl. I'm trying to figure out how to 
properly clean up the groups. What criteria do other sites use for 
removing groups. I know about orphaned gruops, but I'm looking for good 
advice about self-owning groups and groups owned by other groups.

Thanks,
Jason