On 07/26/2012 06:10 PM, Russ Allbery wrote:
Jeffrey Altman <jalt...@secure-endpoints.com> writes:
A security best practice is to never delete users and groups because you
don't know what ACLs they might be listed on. The same is true for
Kerberos principal names. You can disable the issuance of tickets but
do not remove them from the database.
I prefer deleting them and then running fs cleanacl across the entire cell
on a time period faster than reuse of the same PTS ID.
We delete users and run fs cleanacl. I'm trying to figure out how to
properly clean up the groups. What criteria do other sites use for
removing groups. I know about orphaned gruops, but I'm looking for good
advice about self-owning groups and groups owned by other groups.
Thanks,
Jason
_______________________________________________
OpenAFS-info mailing list
OpenAFS-info@openafs.org
https://lists.openafs.org/mailman/listinfo/openafs-info
