sync: auto-sync from HOWARD-HOME at 2026-06-25 23:09:59
Author: Howard Enos Machine: HOWARD-HOME Timestamp: 2026-06-25 23:09:59
This commit is contained in:
@@ -135,6 +135,7 @@
|
|||||||
- [GURU-BEAST-ROG Setup Status](machine_windows_guru_setup_status.md) — Windows workstation fully configured except SSH key deployment to servers.
|
- [GURU-BEAST-ROG Setup Status](machine_windows_guru_setup_status.md) — Windows workstation fully configured except SSH key deployment to servers.
|
||||||
|
|
||||||
## Project
|
## Project
|
||||||
|
- [Cascades network + CS-SERVER SMB instability](project_cascades_network_segments.md) — NAS->CS-SERVER migration. NOT a CSC-ENT-vs-CSCNet issue (corrected): fresh SMB to `\\cs-server\*` fails err 67 from BOTH Wi-Fis; only persistent admin-mapped drives work, intermittently → CS-SERVER-side SMB instability (multichannel advertises .248/.254/IPv6 ULAs; Get-SmbServerConfiguration errors). Blockers: CSCNet=WPA3 (old adapters can't join); workstations store domain-admin cred. Repoint tool [[drive-map]].
|
||||||
- [CyndyOffice physical HP lockups](cyndyoffice-physical-hp-lockups.md) — RMM "Howard-VM" site agent CyndyOffice is a PHYSICAL HP Pavilion TP01 (not a VM); ~20 hard freezes/6wk = Kernel-Power 41 bugcheck-0, no dump/WHEA = hardware (RAM/PSU/BIOS), SSD healthy. UUID re-enrolls.
|
- [CyndyOffice physical HP lockups](cyndyoffice-physical-hp-lockups.md) — RMM "Howard-VM" site agent CyndyOffice is a PHYSICAL HP Pavilion TP01 (not a VM); ~20 hard freezes/6wk = Kernel-Power 41 bugcheck-0, no dump/WHEA = hardware (RAM/PSU/BIOS), SSD healthy. UUID re-enrolls.
|
||||||
- [Automate memory consolidation/lint (phased)](project_memory_consolidation_automation.md) — Eventually auto-run /memory-dream; lint+additive fixes can automate early, merges/deletes stay human-approved. Engine: .claude/skills/memory-dream/ + .claude/scripts/sync-memory.sh.
|
- [Automate memory consolidation/lint (phased)](project_memory_consolidation_automation.md) — Eventually auto-run /memory-dream; lint+additive fixes can automate early, merges/deletes stay human-approved. Engine: .claude/skills/memory-dream/ + .claude/scripts/sync-memory.sh.
|
||||||
- [Trebesch PST consolidation (staged)](project_trebesch_pst_consolidation.md) — Address-book CSV from 24 PSTs on DESKTOP-QNP3ON5; scripts staged at .claude/tmp/treb-*.ps1, WAITING for Howard's 6pm-MST 2026-06-01 go signal (attended run). See [[reference_trebesch_qnp3on5]].
|
- [Trebesch PST consolidation (staged)](project_trebesch_pst_consolidation.md) — Address-book CSV from 24 PSTs on DESKTOP-QNP3ON5; scripts staged at .claude/tmp/treb-*.ps1, WAITING for Howard's 6pm-MST 2026-06-01 go signal (attended run). See [[reference_trebesch_qnp3on5]].
|
||||||
|
|||||||
50
.claude/memory/project_cascades_network_segments.md
Normal file
50
.claude/memory/project_cascades_network_segments.md
Normal file
@@ -0,0 +1,50 @@
|
|||||||
|
---
|
||||||
|
name: project_cascades_network_segments
|
||||||
|
description: Cascades of Tucson network segments + the CSC-ENT Wi-Fi SMB block that stalls NAS->CS-SERVER user migration
|
||||||
|
metadata:
|
||||||
|
type: project
|
||||||
|
---
|
||||||
|
|
||||||
|
Cascades of Tucson NAS->CS-SERVER share migration — network reality discovered 2026-06-25.
|
||||||
|
|
||||||
|
**CS-SERVER** (DC, RMM agent, Synology Drive sync target): IPs `192.168.2.248` (Ethernet) and
|
||||||
|
`192.168.2.254` (Hyper-V vSwitch), both **/22 = `192.168.0.0/22`** (covers `.0`–`.3.255`).
|
||||||
|
Domain `CASCADES` / `cascades.local`. SMB healthy — serves 13+ live sessions; shares under
|
||||||
|
`D:\Shares\<name>` (Server, Management, Activities, Sales, etc.). Firewall SMB-In = Allow/Any.
|
||||||
|
|
||||||
|
**Working SMB clients** live on `10.0.20.x` (routed, gw `10.0.20.1`) and `192.168.3.x` (on-link
|
||||||
|
in the /22). Wi-Fi SSID for corporate = **`CSCNet`**.
|
||||||
|
|
||||||
|
**Two Wi-Fi SSIDs (same AP family):** **`CSC ENT`** = `192.168.2.0/24`, gw `192.168.0.1`, **WPA2-PSK**
|
||||||
|
(old NAS-side); **`CSCNet`** = `10.0.20.0/24`, gw `10.0.20.1`, **WPA3-SAE** (newer corporate). DNS =
|
||||||
|
pfSense `192.168.0.1`. CSCNet PSK + CSC ENT PSK vaulted (`clients/cascades-tucson/wifi-cscnet.sops.yaml`,
|
||||||
|
`wifi-csc-ent.sops.yaml`).
|
||||||
|
|
||||||
|
**CORRECTION (don't trust the first theory): the SMB problem is NOT CSC-ENT-vs-CSCNet.** Verified
|
||||||
|
2026-06-26: fresh SMB connections to `\\cs-server\<share>` fail with **System error 67
|
||||||
|
(BAD_NETWORK_NAME), even `IPC$`**, from CSC ENT AND CSCNet alike (Meredith on CSC ENT, Crystal +
|
||||||
|
Karen on CSCNet all hit it). Only **pre-existing persistent mapped drives** work, and even those are
|
||||||
|
**intermittent** (Meredith's `Y: \\cs-server\Server` read True then False minutes later). Lower layers
|
||||||
|
are fine everywhere (ping, nbtstat=CS-SERVER, TCP 445/139). So it's a **CS-SERVER-side SMB
|
||||||
|
instability**, not the client network.
|
||||||
|
|
||||||
|
**Root-cause leads (CS-SERVER):** `Get-SmbServerConfiguration` throws *"Data of this type is not
|
||||||
|
supported"* (degraded SMB config subsystem); SMB **multichannel advertises multiple interfaces** —
|
||||||
|
`192.168.2.248` (Ethernet), `192.168.2.254` (Hyper-V vSwitch), and IPv6 ULAs (`fde4::…`,`fd8f::…`).
|
||||||
|
Clients negotiating channels to unreachable interfaces is the prime suspect for flaky/failed new
|
||||||
|
sessions. SMB signing required (it's a DC). Likely fixes (NEED approval, prod DC, 13 live sessions):
|
||||||
|
disable SMB multichannel / unbind File&Printer sharing from `.254`+IPv6 so it serves only on `.248`;
|
||||||
|
and/or restart LanmanServer (or reboot) to rebuild the degraded config.
|
||||||
|
|
||||||
|
**Two more migration blockers found:** (1) **CSCNet is WPA3-SAE** — older adapters (e.g. Intel AC 3165
|
||||||
|
on Meredith's ASSISTMAN-PC) **cannot join it**, so "move everyone to CSCNet" is blocked by hardware.
|
||||||
|
(2) **Security smell:** workstations are WORKGROUP (local logins) and reach CS-SERVER by storing a
|
||||||
|
DOMAIN credential — Meredith's PC stores `cmdkey cs-server→administrator` (her Y:/X:/E: are mapped as
|
||||||
|
domain admin). Shares `Server`/`Management` = share ACL **Authenticated Users:Full** (NTFS gates real
|
||||||
|
access). Fix: stop storing admin creds on user PCs; scope shares to groups.
|
||||||
|
|
||||||
|
Karen Rossini case (DESKTOP-LPOPV30, WORKGROUP, dual Wi-Fi): `CASCADES\karen.rossini` reset+vaulted
|
||||||
|
(`clients/cascades-tucson/karen-rossini.sops.yaml`), added to `SG-IT-RW`, CS-SERVER cmdkey staged.
|
||||||
|
She doesn't really use the Server folder (per Howard) so deprioritized. ALDocs is in
|
||||||
|
`\\CS-SERVER\Server\ALDocs`. Repoint tooling = [[drive-map]] skill (but blocked by the CS-SERVER SMB
|
||||||
|
instability above — fix that first).
|
||||||
@@ -0,0 +1,125 @@
|
|||||||
|
## User
|
||||||
|
- **User:** Howard Enos (howard)
|
||||||
|
- **Machine:** Howard-Home
|
||||||
|
- **Role:** tech
|
||||||
|
|
||||||
|
# Cascades NAS->CS-SERVER migration: drive-map skill + CS-SERVER SMB instability diagnosis
|
||||||
|
|
||||||
|
## Session Summary
|
||||||
|
|
||||||
|
Continued the Cascades of Tucson NAS->CS-SERVER share migration. The session began as a
|
||||||
|
single-user task (repoint Karen Rossini's ALDocs shortcut from the NAS to CS-SERVER) and
|
||||||
|
turned into a fleet-wide diagnosis of why workstations cannot reliably reach CS-SERVER's
|
||||||
|
SMB file shares.
|
||||||
|
|
||||||
|
Built a new reusable skill, `drive-map`, to stop re-fighting Windows network drive maps via
|
||||||
|
RMM. It runs every operation in the user session (so maps/shortcuts actually appear), stores
|
||||||
|
the per-host credential with cmdkey (the workgroup-PC->domain-share case), makes maps
|
||||||
|
persistent, repoints/removes stale NAS shortcuts, and verifies access. Validated by dry-run;
|
||||||
|
the `verify` verb caught the real blocker before any desktop was touched.
|
||||||
|
|
||||||
|
Staged Karen's server-side migration: reset + enabled her domain account
|
||||||
|
`CASCADES\karen.rossini` (change-at-logon off), vaulted the password, added her to `SG-IT-RW`
|
||||||
|
for RW on `D:\Shares\Server`, and stored a CS-SERVER cmdkey on her PC. The `verify` then
|
||||||
|
failed (error 67), kicking off the diagnosis.
|
||||||
|
|
||||||
|
Diagnosis chain: ruled out Karen's account, CS-SERVER's firewall (SMB-In Allow/Any), name
|
||||||
|
resolution (clean), and L3 routing (`.248` is a direct neighbor). Initially theorized a
|
||||||
|
CSC-ENT-vs-CSCNet Wi-Fi segment problem and moved Karen onto CSCNet — but Howard's input
|
||||||
|
(Meredith works from CSC ENT; Crystal uses a different access method) plus further testing
|
||||||
|
disproved it: fresh SMB connections to `\\cs-server\*` (even `IPC$`) fail with **System error
|
||||||
|
67 from BOTH Wi-Fis**, while only pre-existing persistent mapped drives work, and even those
|
||||||
|
are intermittent (Meredith's `Y:` read True then False). Conclusion: a **CS-SERVER-side SMB
|
||||||
|
instability**, not the client network.
|
||||||
|
|
||||||
|
Two additional blockers surfaced: CSCNet is **WPA3-SAE**, so older adapters (Meredith's Intel
|
||||||
|
AC 3165) physically cannot join it; and the access model is insecure — workgroup PCs store a
|
||||||
|
domain credential (Meredith's stores `cs-server -> administrator`) and the shares are
|
||||||
|
`Authenticated Users : Full`.
|
||||||
|
|
||||||
|
## Key Decisions
|
||||||
|
- Built `drive-map` as a durable skill rather than one-off commands — the repoint recurs for
|
||||||
|
~7 users. All ops run `context: user_session` by design (the fix for "maps made as SYSTEM
|
||||||
|
are invisible").
|
||||||
|
- Reset+vaulted Karen's domain password (she logs in locally, so no disruption) rather than
|
||||||
|
chasing an unknown existing password.
|
||||||
|
- Used a reversible, surgical approach to test the network theory (temp host route; vaulted
|
||||||
|
both Wi-Fi PSKs before deleting a profile) so nothing was unrecoverable.
|
||||||
|
- Moved Meredith test attempt with a scheduled-task safety net (auto-restore CSC ENT in 15
|
||||||
|
min) to avoid stranding her if CSCNet couldn't carry the agent.
|
||||||
|
- Corrected the project memory when the CSC-ENT theory was disproved (memories must not
|
||||||
|
mislead).
|
||||||
|
- Deferred the CS-SERVER fix (multichannel interface cleanup, then possible LanmanServer
|
||||||
|
restart) pending Howard's approval — it's a production DC with 13 live sessions.
|
||||||
|
|
||||||
|
## Problems Encountered
|
||||||
|
- **Karen `verify` error 67** -> root-caused to CS-SERVER SMB instability (see below), not her
|
||||||
|
account or network.
|
||||||
|
- **My CSC-ENT-vs-CSCNet theory was wrong** -> disproved when Meredith (CSC ENT) works and
|
||||||
|
fresh connections fail from CSCNet too. Corrected memory.
|
||||||
|
- **Moved Karen to CSCNet, broke NAS-by-name for her** -> she can reach NAS by IP but not name
|
||||||
|
now; Howard said she doesn't use the Server folder so left as-is (offer to restore CSC ENT
|
||||||
|
stands).
|
||||||
|
- **Meredith cannot join CSCNet** -> WPA3-SAE not supported by her AC 3165 adapter. Plan: buy
|
||||||
|
a new wireless adapter; do not change her connection meanwhile (she needs access).
|
||||||
|
- **Self-inflicted friction:** a bash `<<PS` (unquoted heredoc) containing a PowerShell
|
||||||
|
backtick (`` "`n" ``) triggered "bad substitution" and silently sent a broken command. Fix:
|
||||||
|
use `<<'PS'` (quoted) when no bash interpolation is needed, or avoid backticks (use
|
||||||
|
`[Environment]::NewLine`) in unquoted heredocs.
|
||||||
|
- **`cmd /c "netsh ... \"quoted\""` mangled quotes** (Windows CommandLineToArgvW) -> call
|
||||||
|
netsh natively from PowerShell; single-quote tokens whose value contains spaces
|
||||||
|
(`'name="CSC ENT"'`).
|
||||||
|
|
||||||
|
## Configuration Changes
|
||||||
|
- NEW skill: `.claude/skills/drive-map/SKILL.md` + `.claude/skills/drive-map/scripts/drive-map.sh`
|
||||||
|
(verbs: verify | cred | map | shortcut | unmap | migrate; RMM-driven, user_session, vault-read creds).
|
||||||
|
- `.claude/memory/project_cascades_network_segments.md` created then corrected; index line in
|
||||||
|
`.claude/memory/MEMORY.md` updated.
|
||||||
|
- CS-SERVER (AD): `CASCADES\karen.rossini` password reset + enabled + ChangePasswordAtLogon
|
||||||
|
false; added to group `SG-IT-RW`.
|
||||||
|
- Karen's PC (DESKTOP-LPOPV30): CSC ENT Wi-Fi profile deleted + adapter disabled, now CSCNet-
|
||||||
|
only (10.0.20.100). cmdkey `CS-SERVER -> CASCADES\karen.rossini` stored.
|
||||||
|
- Meredith's PC (ASSISTMAN-PC): no lasting change (CSCNet profile add failed; safety task removed).
|
||||||
|
|
||||||
|
## Credentials & Secrets (vaulted)
|
||||||
|
- `clients/cascades-tucson/karen-rossini.sops.yaml` — `CASCADES\karen.rossini` domain pwd (reset
|
||||||
|
this session; temporary, to be changed when she starts using the domain account).
|
||||||
|
- `clients/cascades-tucson/wifi-cscnet.sops.yaml` — CSCNet Wi-Fi PSK (WPA3-SAE, 10.0.20.x).
|
||||||
|
- `clients/cascades-tucson/wifi-csc-ent.sops.yaml` — CSC ENT Wi-Fi PSK (WPA2-PSK, 192.168.2.x).
|
||||||
|
- Note: domain pwd + Wi-Fi PSKs transited RMM command history (internal, admin-only) during
|
||||||
|
provisioning/capture — purge/rotate if needed.
|
||||||
|
|
||||||
|
## Infrastructure & Servers
|
||||||
|
- CS-SERVER: DC (DomainRole 5), `cascades.local` / NetBIOS `CASCADES`. IPs 192.168.2.248
|
||||||
|
(Ethernet) + 192.168.2.254 (Hyper-V vSwitch), both /22 (192.168.0.0/22). RMM agent
|
||||||
|
c39f1de7-d5b6-45ae-b132-e06977ab1713. Shares under D:\Shares\<name>; Server/Management share
|
||||||
|
ACL = Authenticated Users:Full. SMB multichannel advertises .248, .254, and IPv6 ULAs
|
||||||
|
(fde4::, fd8f::). `Get-SmbServerConfiguration` errors "Data of this type is not supported."
|
||||||
|
SMB signing required. 13 live sessions.
|
||||||
|
- Wi-Fi: `CSC ENT` (192.168.2.0/24, gw 192.168.0.1, WPA2) and `CSCNet` (10.0.20.x, gw
|
||||||
|
10.0.20.1, WPA3-SAE). DNS = pfSense 192.168.0.1.
|
||||||
|
- Agents: DESKTOP-LPOPV30 (Karen) ad725bb2-d8cb-4a83-8203-6f7e9c906b29; ASSISTMAN-PC
|
||||||
|
(Meredith) cf86fa5e-96a2-494d-9cb1-8be22a518ad0; CRYSTAL-PC ad7d6d5e-fc44-478c-b8e0-0d867844afff.
|
||||||
|
|
||||||
|
## Commands & Outputs (key)
|
||||||
|
- Fresh `net use \\cs-server\IPC$` -> System error 67 (BAD_NETWORK_NAME), from CSC ENT and CSCNet.
|
||||||
|
- Meredith `Test-Path Y:\` -> True, then False minutes later (intermittent persistent mapping).
|
||||||
|
- `netsh wlan add profile CSCNet` on AC 3165 -> "security/connectivity setting not supported by adapter" (WPA3).
|
||||||
|
- CS-SERVER `Get-SmbServerNetworkInterface` -> .248, .254, fe80::, fde4::, fd8f::.
|
||||||
|
|
||||||
|
## Pending / Incomplete Tasks (next session)
|
||||||
|
- **CS-SERVER SMB fix (root cause):** (1) clean up SMB interface bindings so it serves only on
|
||||||
|
.248 (unbind File&Printer from .254 vSwitch + IPv6; consider disabling multichannel); (2) if
|
||||||
|
still degraded, restart LanmanServer / reboot after hours (drops 13 sessions). NEEDS approval.
|
||||||
|
- **Share permissions work** (Howard's next focus): tighten Server/Management from
|
||||||
|
Authenticated Users:Full to scoped groups; stop storing admin creds on user PCs.
|
||||||
|
- **pfSense + VLAN review** (Howard) — segment/routing design between 192.168.x and 10.0.20.x.
|
||||||
|
- **Meredith:** buy a new wireless adapter (AC 3165 lacks WPA3); do NOT change her connection
|
||||||
|
until then.
|
||||||
|
- **Testing:** use Karen's machine (DESKTOP-LPOPV30) as the mapped-drive test box.
|
||||||
|
- Optional: restore Karen's CSC ENT if she needs NAS-by-name.
|
||||||
|
|
||||||
|
## Reference Information
|
||||||
|
- Memory: `.claude/memory/project_cascades_network_segments.md`.
|
||||||
|
- Skill: `.claude/skills/drive-map/`.
|
||||||
|
- Repoint target: ALDocs = `\\CS-SERVER\Server\ALDocs`.
|
||||||
@@ -17,6 +17,12 @@ Categories (the `[type]` tag): _(none)_ = skill/command execution failure ·
|
|||||||
|
|
||||||
<!-- Append entries below this line -->
|
<!-- Append entries below this line -->
|
||||||
|
|
||||||
|
2026-06-26 | Howard-Home | drive-map | drive-map verify failed on DESKTOP-LPOPV30 [ctx: cmd=e932bc94-0557-4913-a0b1-c97c1aa5da26]
|
||||||
|
|
||||||
|
2026-06-26 | Howard-Home | drive-map | drive-map verify failed on DESKTOP-LPOPV30 [ctx: cmd=18fec38b-8fae-4a1b-a3d8-5b90b124dbc2]
|
||||||
|
|
||||||
|
2026-06-26 | Howard-Home | drive-map | drive-map verify failed on DESKTOP-LPOPV30 [ctx: cmd=82aa3177-558e-464e-ab75-81f8f7d7f3cc]
|
||||||
|
|
||||||
2026-06-26 | GURU-5070 | remediation-tool | [correction] claimed no tier has mail read/write and reached for an EWS workaround; correct: exchange-op (Exchange Operator app) = Exchange Administrator role + full_access_as_app + Exchange.ManageAsApp = full all-access for ANY mailbox/Exchange op including moving mail [ctx: tenant=tedards.net recurring=true ref=feedback_exchange_op_all_access]
|
2026-06-26 | GURU-5070 | remediation-tool | [correction] claimed no tier has mail read/write and reached for an EWS workaround; correct: exchange-op (Exchange Operator app) = Exchange Administrator role + full_access_as_app + Exchange.ManageAsApp = full all-access for ANY mailbox/Exchange op including moving mail [ctx: tenant=tedards.net recurring=true ref=feedback_exchange_op_all_access]
|
||||||
|
|
||||||
2026-06-26 | Howard-Home | synology/ssh | syno-ssh recipe 'run' failed (rc=255) [ctx: host=192.168.0.120]
|
2026-06-26 | Howard-Home | synology/ssh | syno-ssh recipe 'run' failed (rc=255) [ctx: host=192.168.0.120]
|
||||||
|
|||||||
Reference in New Issue
Block a user