sync: auto-sync from HOWARD-HOME at 2026-06-25 23:09:59

Author: Howard Enos
Machine: HOWARD-HOME
Timestamp: 2026-06-25 23:09:59
This commit is contained in:
2026-06-25 23:10:26 -07:00
parent 04b0d12150
commit 1d99dc93ed
4 changed files with 182 additions and 0 deletions

View File

@@ -0,0 +1,125 @@
## User
- **User:** Howard Enos (howard)
- **Machine:** Howard-Home
- **Role:** tech
# Cascades NAS->CS-SERVER migration: drive-map skill + CS-SERVER SMB instability diagnosis
## Session Summary
Continued the Cascades of Tucson NAS->CS-SERVER share migration. The session began as a
single-user task (repoint Karen Rossini's ALDocs shortcut from the NAS to CS-SERVER) and
turned into a fleet-wide diagnosis of why workstations cannot reliably reach CS-SERVER's
SMB file shares.
Built a new reusable skill, `drive-map`, to stop re-fighting Windows network drive maps via
RMM. It runs every operation in the user session (so maps/shortcuts actually appear), stores
the per-host credential with cmdkey (the workgroup-PC->domain-share case), makes maps
persistent, repoints/removes stale NAS shortcuts, and verifies access. Validated by dry-run;
the `verify` verb caught the real blocker before any desktop was touched.
Staged Karen's server-side migration: reset + enabled her domain account
`CASCADES\karen.rossini` (change-at-logon off), vaulted the password, added her to `SG-IT-RW`
for RW on `D:\Shares\Server`, and stored a CS-SERVER cmdkey on her PC. The `verify` then
failed (error 67), kicking off the diagnosis.
Diagnosis chain: ruled out Karen's account, CS-SERVER's firewall (SMB-In Allow/Any), name
resolution (clean), and L3 routing (`.248` is a direct neighbor). Initially theorized a
CSC-ENT-vs-CSCNet Wi-Fi segment problem and moved Karen onto CSCNet — but Howard's input
(Meredith works from CSC ENT; Crystal uses a different access method) plus further testing
disproved it: fresh SMB connections to `\\cs-server\*` (even `IPC$`) fail with **System error
67 from BOTH Wi-Fis**, while only pre-existing persistent mapped drives work, and even those
are intermittent (Meredith's `Y:` read True then False). Conclusion: a **CS-SERVER-side SMB
instability**, not the client network.
Two additional blockers surfaced: CSCNet is **WPA3-SAE**, so older adapters (Meredith's Intel
AC 3165) physically cannot join it; and the access model is insecure — workgroup PCs store a
domain credential (Meredith's stores `cs-server -> administrator`) and the shares are
`Authenticated Users : Full`.
## Key Decisions
- Built `drive-map` as a durable skill rather than one-off commands — the repoint recurs for
~7 users. All ops run `context: user_session` by design (the fix for "maps made as SYSTEM
are invisible").
- Reset+vaulted Karen's domain password (she logs in locally, so no disruption) rather than
chasing an unknown existing password.
- Used a reversible, surgical approach to test the network theory (temp host route; vaulted
both Wi-Fi PSKs before deleting a profile) so nothing was unrecoverable.
- Moved Meredith test attempt with a scheduled-task safety net (auto-restore CSC ENT in 15
min) to avoid stranding her if CSCNet couldn't carry the agent.
- Corrected the project memory when the CSC-ENT theory was disproved (memories must not
mislead).
- Deferred the CS-SERVER fix (multichannel interface cleanup, then possible LanmanServer
restart) pending Howard's approval — it's a production DC with 13 live sessions.
## Problems Encountered
- **Karen `verify` error 67** -> root-caused to CS-SERVER SMB instability (see below), not her
account or network.
- **My CSC-ENT-vs-CSCNet theory was wrong** -> disproved when Meredith (CSC ENT) works and
fresh connections fail from CSCNet too. Corrected memory.
- **Moved Karen to CSCNet, broke NAS-by-name for her** -> she can reach NAS by IP but not name
now; Howard said she doesn't use the Server folder so left as-is (offer to restore CSC ENT
stands).
- **Meredith cannot join CSCNet** -> WPA3-SAE not supported by her AC 3165 adapter. Plan: buy
a new wireless adapter; do not change her connection meanwhile (she needs access).
- **Self-inflicted friction:** a bash `<<PS` (unquoted heredoc) containing a PowerShell
backtick (`` "`n" ``) triggered "bad substitution" and silently sent a broken command. Fix:
use `<<'PS'` (quoted) when no bash interpolation is needed, or avoid backticks (use
`[Environment]::NewLine`) in unquoted heredocs.
- **`cmd /c "netsh ... \"quoted\""` mangled quotes** (Windows CommandLineToArgvW) -> call
netsh natively from PowerShell; single-quote tokens whose value contains spaces
(`'name="CSC ENT"'`).
## Configuration Changes
- NEW skill: `.claude/skills/drive-map/SKILL.md` + `.claude/skills/drive-map/scripts/drive-map.sh`
(verbs: verify | cred | map | shortcut | unmap | migrate; RMM-driven, user_session, vault-read creds).
- `.claude/memory/project_cascades_network_segments.md` created then corrected; index line in
`.claude/memory/MEMORY.md` updated.
- CS-SERVER (AD): `CASCADES\karen.rossini` password reset + enabled + ChangePasswordAtLogon
false; added to group `SG-IT-RW`.
- Karen's PC (DESKTOP-LPOPV30): CSC ENT Wi-Fi profile deleted + adapter disabled, now CSCNet-
only (10.0.20.100). cmdkey `CS-SERVER -> CASCADES\karen.rossini` stored.
- Meredith's PC (ASSISTMAN-PC): no lasting change (CSCNet profile add failed; safety task removed).
## Credentials & Secrets (vaulted)
- `clients/cascades-tucson/karen-rossini.sops.yaml` — `CASCADES\karen.rossini` domain pwd (reset
this session; temporary, to be changed when she starts using the domain account).
- `clients/cascades-tucson/wifi-cscnet.sops.yaml` — CSCNet Wi-Fi PSK (WPA3-SAE, 10.0.20.x).
- `clients/cascades-tucson/wifi-csc-ent.sops.yaml` — CSC ENT Wi-Fi PSK (WPA2-PSK, 192.168.2.x).
- Note: domain pwd + Wi-Fi PSKs transited RMM command history (internal, admin-only) during
provisioning/capture — purge/rotate if needed.
## Infrastructure & Servers
- CS-SERVER: DC (DomainRole 5), `cascades.local` / NetBIOS `CASCADES`. IPs 192.168.2.248
(Ethernet) + 192.168.2.254 (Hyper-V vSwitch), both /22 (192.168.0.0/22). RMM agent
c39f1de7-d5b6-45ae-b132-e06977ab1713. Shares under D:\Shares\<name>; Server/Management share
ACL = Authenticated Users:Full. SMB multichannel advertises .248, .254, and IPv6 ULAs
(fde4::, fd8f::). `Get-SmbServerConfiguration` errors "Data of this type is not supported."
SMB signing required. 13 live sessions.
- Wi-Fi: `CSC ENT` (192.168.2.0/24, gw 192.168.0.1, WPA2) and `CSCNet` (10.0.20.x, gw
10.0.20.1, WPA3-SAE). DNS = pfSense 192.168.0.1.
- Agents: DESKTOP-LPOPV30 (Karen) ad725bb2-d8cb-4a83-8203-6f7e9c906b29; ASSISTMAN-PC
(Meredith) cf86fa5e-96a2-494d-9cb1-8be22a518ad0; CRYSTAL-PC ad7d6d5e-fc44-478c-b8e0-0d867844afff.
## Commands & Outputs (key)
- Fresh `net use \\cs-server\IPC$` -> System error 67 (BAD_NETWORK_NAME), from CSC ENT and CSCNet.
- Meredith `Test-Path Y:\` -> True, then False minutes later (intermittent persistent mapping).
- `netsh wlan add profile CSCNet` on AC 3165 -> "security/connectivity setting not supported by adapter" (WPA3).
- CS-SERVER `Get-SmbServerNetworkInterface` -> .248, .254, fe80::, fde4::, fd8f::.
## Pending / Incomplete Tasks (next session)
- **CS-SERVER SMB fix (root cause):** (1) clean up SMB interface bindings so it serves only on
.248 (unbind File&Printer from .254 vSwitch + IPv6; consider disabling multichannel); (2) if
still degraded, restart LanmanServer / reboot after hours (drops 13 sessions). NEEDS approval.
- **Share permissions work** (Howard's next focus): tighten Server/Management from
Authenticated Users:Full to scoped groups; stop storing admin creds on user PCs.
- **pfSense + VLAN review** (Howard) — segment/routing design between 192.168.x and 10.0.20.x.
- **Meredith:** buy a new wireless adapter (AC 3165 lacks WPA3); do NOT change her connection
until then.
- **Testing:** use Karen's machine (DESKTOP-LPOPV30) as the mapped-drive test box.
- Optional: restore Karen's CSC ENT if she needs NAS-by-name.
## Reference Information
- Memory: `.claude/memory/project_cascades_network_segments.md`.
- Skill: `.claude/skills/drive-map/`.
- Repoint target: ALDocs = `\\CS-SERVER\Server\ALDocs`.