delete_principal does not delete the principal from the Database file
Nico Williams
nico at cryptonector.com
Mon Jul 16 13:59:47 EDT 2012
On Mon, Jul 16, 2012 at 12:48 PM, Aravind Jerubandi
<aravind.jerubandi at gmail.com> wrote:
> Recently we deleted large number of records and currently we have 0.95M
> user accounts. But the principal file size is still 4.4G.
>
> Looks like KDC does not delete the principals from the database file, but
> just disables it. Is there a way to permanently delete the principals and
> reduce the principal file size?
What actually happens is that freeing space in the DB file does not
result in the file shrinking in size. The reason is that the space
freed is not necessarily at the end of the file, and compacting the
file would impose a long wait.
If you want to reclaim that space just dump and reload the KDB.
> (the number of accounts info is taken from the attribute value 'Reference
> count' which we get with the 'get_policy' command)
IIRC there are (were?) races in the updating of the policy reference
counts, so those may not be accurate. Also, this doesn't tell you
anything about principals with no policy.
Nico
--
More information about the Kerberos
mailing list