sync: auto-sync from HOWARD-HOME at 2026-06-25 23:09:59
Author: Howard Enos Machine: HOWARD-HOME Timestamp: 2026-06-25 23:09:59
This commit is contained in:
@@ -0,0 +1,125 @@
|
||||
## User
|
||||
- **User:** Howard Enos (howard)
|
||||
- **Machine:** Howard-Home
|
||||
- **Role:** tech
|
||||
|
||||
# Cascades NAS->CS-SERVER migration: drive-map skill + CS-SERVER SMB instability diagnosis
|
||||
|
||||
## Session Summary
|
||||
|
||||
Continued the Cascades of Tucson NAS->CS-SERVER share migration. The session began as a
|
||||
single-user task (repoint Karen Rossini's ALDocs shortcut from the NAS to CS-SERVER) and
|
||||
turned into a fleet-wide diagnosis of why workstations cannot reliably reach CS-SERVER's
|
||||
SMB file shares.
|
||||
|
||||
Built a new reusable skill, `drive-map`, to stop re-fighting Windows network drive maps via
|
||||
RMM. It runs every operation in the user session (so maps/shortcuts actually appear), stores
|
||||
the per-host credential with cmdkey (the workgroup-PC->domain-share case), makes maps
|
||||
persistent, repoints/removes stale NAS shortcuts, and verifies access. Validated by dry-run;
|
||||
the `verify` verb caught the real blocker before any desktop was touched.
|
||||
|
||||
Staged Karen's server-side migration: reset + enabled her domain account
|
||||
`CASCADES\karen.rossini` (change-at-logon off), vaulted the password, added her to `SG-IT-RW`
|
||||
for RW on `D:\Shares\Server`, and stored a CS-SERVER cmdkey on her PC. The `verify` then
|
||||
failed (error 67), kicking off the diagnosis.
|
||||
|
||||
Diagnosis chain: ruled out Karen's account, CS-SERVER's firewall (SMB-In Allow/Any), name
|
||||
resolution (clean), and L3 routing (`.248` is a direct neighbor). Initially theorized a
|
||||
CSC-ENT-vs-CSCNet Wi-Fi segment problem and moved Karen onto CSCNet — but Howard's input
|
||||
(Meredith works from CSC ENT; Crystal uses a different access method) plus further testing
|
||||
disproved it: fresh SMB connections to `\\cs-server\*` (even `IPC$`) fail with **System error
|
||||
67 from BOTH Wi-Fis**, while only pre-existing persistent mapped drives work, and even those
|
||||
are intermittent (Meredith's `Y:` read True then False). Conclusion: a **CS-SERVER-side SMB
|
||||
instability**, not the client network.
|
||||
|
||||
Two additional blockers surfaced: CSCNet is **WPA3-SAE**, so older adapters (Meredith's Intel
|
||||
AC 3165) physically cannot join it; and the access model is insecure — workgroup PCs store a
|
||||
domain credential (Meredith's stores `cs-server -> administrator`) and the shares are
|
||||
`Authenticated Users : Full`.
|
||||
|
||||
## Key Decisions
|
||||
- Built `drive-map` as a durable skill rather than one-off commands — the repoint recurs for
|
||||
~7 users. All ops run `context: user_session` by design (the fix for "maps made as SYSTEM
|
||||
are invisible").
|
||||
- Reset+vaulted Karen's domain password (she logs in locally, so no disruption) rather than
|
||||
chasing an unknown existing password.
|
||||
- Used a reversible, surgical approach to test the network theory (temp host route; vaulted
|
||||
both Wi-Fi PSKs before deleting a profile) so nothing was unrecoverable.
|
||||
- Moved Meredith test attempt with a scheduled-task safety net (auto-restore CSC ENT in 15
|
||||
min) to avoid stranding her if CSCNet couldn't carry the agent.
|
||||
- Corrected the project memory when the CSC-ENT theory was disproved (memories must not
|
||||
mislead).
|
||||
- Deferred the CS-SERVER fix (multichannel interface cleanup, then possible LanmanServer
|
||||
restart) pending Howard's approval — it's a production DC with 13 live sessions.
|
||||
|
||||
## Problems Encountered
|
||||
- **Karen `verify` error 67** -> root-caused to CS-SERVER SMB instability (see below), not her
|
||||
account or network.
|
||||
- **My CSC-ENT-vs-CSCNet theory was wrong** -> disproved when Meredith (CSC ENT) works and
|
||||
fresh connections fail from CSCNet too. Corrected memory.
|
||||
- **Moved Karen to CSCNet, broke NAS-by-name for her** -> she can reach NAS by IP but not name
|
||||
now; Howard said she doesn't use the Server folder so left as-is (offer to restore CSC ENT
|
||||
stands).
|
||||
- **Meredith cannot join CSCNet** -> WPA3-SAE not supported by her AC 3165 adapter. Plan: buy
|
||||
a new wireless adapter; do not change her connection meanwhile (she needs access).
|
||||
- **Self-inflicted friction:** a bash `<<PS` (unquoted heredoc) containing a PowerShell
|
||||
backtick (`` "`n" ``) triggered "bad substitution" and silently sent a broken command. Fix:
|
||||
use `<<'PS'` (quoted) when no bash interpolation is needed, or avoid backticks (use
|
||||
`[Environment]::NewLine`) in unquoted heredocs.
|
||||
- **`cmd /c "netsh ... \"quoted\""` mangled quotes** (Windows CommandLineToArgvW) -> call
|
||||
netsh natively from PowerShell; single-quote tokens whose value contains spaces
|
||||
(`'name="CSC ENT"'`).
|
||||
|
||||
## Configuration Changes
|
||||
- NEW skill: `.claude/skills/drive-map/SKILL.md` + `.claude/skills/drive-map/scripts/drive-map.sh`
|
||||
(verbs: verify | cred | map | shortcut | unmap | migrate; RMM-driven, user_session, vault-read creds).
|
||||
- `.claude/memory/project_cascades_network_segments.md` created then corrected; index line in
|
||||
`.claude/memory/MEMORY.md` updated.
|
||||
- CS-SERVER (AD): `CASCADES\karen.rossini` password reset + enabled + ChangePasswordAtLogon
|
||||
false; added to group `SG-IT-RW`.
|
||||
- Karen's PC (DESKTOP-LPOPV30): CSC ENT Wi-Fi profile deleted + adapter disabled, now CSCNet-
|
||||
only (10.0.20.100). cmdkey `CS-SERVER -> CASCADES\karen.rossini` stored.
|
||||
- Meredith's PC (ASSISTMAN-PC): no lasting change (CSCNet profile add failed; safety task removed).
|
||||
|
||||
## Credentials & Secrets (vaulted)
|
||||
- `clients/cascades-tucson/karen-rossini.sops.yaml` — `CASCADES\karen.rossini` domain pwd (reset
|
||||
this session; temporary, to be changed when she starts using the domain account).
|
||||
- `clients/cascades-tucson/wifi-cscnet.sops.yaml` — CSCNet Wi-Fi PSK (WPA3-SAE, 10.0.20.x).
|
||||
- `clients/cascades-tucson/wifi-csc-ent.sops.yaml` — CSC ENT Wi-Fi PSK (WPA2-PSK, 192.168.2.x).
|
||||
- Note: domain pwd + Wi-Fi PSKs transited RMM command history (internal, admin-only) during
|
||||
provisioning/capture — purge/rotate if needed.
|
||||
|
||||
## Infrastructure & Servers
|
||||
- CS-SERVER: DC (DomainRole 5), `cascades.local` / NetBIOS `CASCADES`. IPs 192.168.2.248
|
||||
(Ethernet) + 192.168.2.254 (Hyper-V vSwitch), both /22 (192.168.0.0/22). RMM agent
|
||||
c39f1de7-d5b6-45ae-b132-e06977ab1713. Shares under D:\Shares\<name>; Server/Management share
|
||||
ACL = Authenticated Users:Full. SMB multichannel advertises .248, .254, and IPv6 ULAs
|
||||
(fde4::, fd8f::). `Get-SmbServerConfiguration` errors "Data of this type is not supported."
|
||||
SMB signing required. 13 live sessions.
|
||||
- Wi-Fi: `CSC ENT` (192.168.2.0/24, gw 192.168.0.1, WPA2) and `CSCNet` (10.0.20.x, gw
|
||||
10.0.20.1, WPA3-SAE). DNS = pfSense 192.168.0.1.
|
||||
- Agents: DESKTOP-LPOPV30 (Karen) ad725bb2-d8cb-4a83-8203-6f7e9c906b29; ASSISTMAN-PC
|
||||
(Meredith) cf86fa5e-96a2-494d-9cb1-8be22a518ad0; CRYSTAL-PC ad7d6d5e-fc44-478c-b8e0-0d867844afff.
|
||||
|
||||
## Commands & Outputs (key)
|
||||
- Fresh `net use \\cs-server\IPC$` -> System error 67 (BAD_NETWORK_NAME), from CSC ENT and CSCNet.
|
||||
- Meredith `Test-Path Y:\` -> True, then False minutes later (intermittent persistent mapping).
|
||||
- `netsh wlan add profile CSCNet` on AC 3165 -> "security/connectivity setting not supported by adapter" (WPA3).
|
||||
- CS-SERVER `Get-SmbServerNetworkInterface` -> .248, .254, fe80::, fde4::, fd8f::.
|
||||
|
||||
## Pending / Incomplete Tasks (next session)
|
||||
- **CS-SERVER SMB fix (root cause):** (1) clean up SMB interface bindings so it serves only on
|
||||
.248 (unbind File&Printer from .254 vSwitch + IPv6; consider disabling multichannel); (2) if
|
||||
still degraded, restart LanmanServer / reboot after hours (drops 13 sessions). NEEDS approval.
|
||||
- **Share permissions work** (Howard's next focus): tighten Server/Management from
|
||||
Authenticated Users:Full to scoped groups; stop storing admin creds on user PCs.
|
||||
- **pfSense + VLAN review** (Howard) — segment/routing design between 192.168.x and 10.0.20.x.
|
||||
- **Meredith:** buy a new wireless adapter (AC 3165 lacks WPA3); do NOT change her connection
|
||||
until then.
|
||||
- **Testing:** use Karen's machine (DESKTOP-LPOPV30) as the mapped-drive test box.
|
||||
- Optional: restore Karen's CSC ENT if she needs NAS-by-name.
|
||||
|
||||
## Reference Information
|
||||
- Memory: `.claude/memory/project_cascades_network_segments.md`.
|
||||
- Skill: `.claude/skills/drive-map/`.
|
||||
- Repoint target: ALDocs = `\\CS-SERVER\Server\ALDocs`.
|
||||
Reference in New Issue
Block a user