sync: auto-sync from HOWARD-HOME at 2026-07-02 09:08:36
Author: Howard Enos Machine: HOWARD-HOME Timestamp: 2026-07-02 09:08:36
This commit is contained in:
@@ -4,6 +4,7 @@
|
||||
- [ACG resource map](reference_resource_map.md) — **READ THIS FIRST** when a task references a server/service/tenant/API. What we have access to, how to connect from this machine, per-machine exceptions, gotchas. Points at the detail files below.
|
||||
- [ALIS (Medtelligent)](reference_alis_medtelligent.md) — Cascades assisted-living EHR. API host api.alisonline.com, community 622; username must be tenant-qualified (howard.enos@cascadestucson). Staff are READ-ONLY via API — create/change staff via web-UI Staff Import .xls. Use the `alis` skill.
|
||||
- [GuruRMM User Manager](reference_gururmm_user_manager.md) — GuruRMM has a built-in per-agent User Manager tab (reset_password/enable/disable/groups for local+domain+AAD endpoint users; domain users only on a DC via `is_dc`). Use it, NOT raw Set-ADAccountPassword via /rmm. Endpoints: /api/agents/{id}/users + /users/action.
|
||||
- [RMM map network drive (err67 double-hop)](reference_rmm_map_network_drive.md) — Pushing a persistent mapped drive to a remote share via /rmm user_session fails with err67/1702 (impersonated token = no network cred/double-hop). Plant HKCU:\Network\<drv> keys + cmdkey; mounts at next interactive logon. Immediate visibility needs the live session (ScreenConnect).
|
||||
- [exchange-op = all-access Exchange tier](feedback_exchange_op_all_access.md) — STOP claiming "no tier can write mail." Exchange Operator app = Exchange Admin role + full_access_as_app + Exchange.ManageAsApp = full all-access (move mail, rules, config, EWS). Default to `exchange-op` for any Exchange write.
|
||||
- [Tedards tenant facts](reference_tedards_tenant_facts.md) — Bill Tedards law office; tenant `4fcbb1f4…`; bt@/y226@ mailboxes; matter-number filing; UAL ingestion OFF; 9 synced devices; botched-import DUPLICATE folder.
|
||||
- [Investigator EXO ManageAsApp gap](reference_investigator_exo_manageasapp_gap.md) — Security Investigator app lacks `Exchange.ManageAsApp` (only `full_access_as_app`) so `investigator-exo` 401s on EXO adminapi; use `exchange-op` tier for InvokeCommand.
|
||||
|
||||
19
.claude/memory/reference_rmm_map_network_drive.md
Normal file
19
.claude/memory/reference_rmm_map_network_drive.md
Normal file
@@ -0,0 +1,19 @@
|
||||
---
|
||||
name: reference_rmm_map_network_drive
|
||||
description: How to push a persistent mapped network drive to a machine via GuruRMM when net use fails with error 67 (double-hop)
|
||||
metadata:
|
||||
type: reference
|
||||
---
|
||||
|
||||
Pushing a **persistent mapped drive** to an endpoint via the GuruRMM agent (`/rmm`) fails when the target share is on a *remote* server:
|
||||
|
||||
- Running `net use` in `context: user_session` impersonates the logged-on user, but that WTS-impersonated token has **no network credential** to make the second hop to the file server. Result: `System error 67 (network name cannot be found)` on `net use` and `System error 1702 (binding handle is invalid)` on `net view` — even with explicit `/user:.. <pw>`. This is the "SMB error 67 = RMM artifact" documented in `wiki/clients/cascades-tucson.md` (server + share are healthy; access works in a real interactive session).
|
||||
|
||||
**Reliable workaround — plant the map so it mounts at the user's next real logon:**
|
||||
1. `cmdkey /add:<SERVER> /user:<DOMAIN\user> /pass:<pw>` in `user_session` — this is a *local* write to the user's Credential Manager and DOES succeed.
|
||||
2. Write the persistent-map registry keys into the user's hive `HKCU:\Network\<DriveLetter>`: `RemotePath` (REG_SZ, `\\SERVER\Share`), `UserName` (REG_SZ, `DOMAIN\user`), `ProviderName` (`Microsoft Windows Network`), `ProviderType` (DWord `131072`), `ConnectionType` (DWord `1`), `DeferFlags` (DWord `4`).
|
||||
3. At the user's **next interactive logon / reboot**, Windows reconnects the drive silently using the cmdkey credential. It will NOT appear in an already-open session — for immediate visibility, run `net use <D>: "\\SERVER\Share"` in the *live* interactive session (ScreenConnect), not through the RMM agent.
|
||||
|
||||
Non-domain-joined (workgroup) endpoints authenticate with `DOMAIN\user` + password saved via cmdkey — the domain account only needs to exist and be reachable, the client PC does not need to be joined.
|
||||
|
||||
PowerShell-in-RMM gotcha hit while doing this: a double-quoted string ending in a backslash (`"W:\"`, `"W:\\"`) breaks the parser — use bare path tokens (`Test-Path W:\`) or single quotes. See [[feedback_windows_quote_stripping]].
|
||||
@@ -0,0 +1,129 @@
|
||||
# Cascades - Shelby Trozzi "Company Web Docs" share + mapped drive
|
||||
|
||||
## User
|
||||
- **User:** Howard Enos (howard)
|
||||
- **Machine:** Howard-Home
|
||||
- **Role:** tech
|
||||
|
||||
## Session Summary
|
||||
|
||||
Set up file-share access for Shelby Trozzi (MemCare Director) to the "Company Web Docs"
|
||||
folder on CS-SERVER (Cascades DC). The request was to make `D:\Shares\Public\Company Web Docs`
|
||||
an SMB share and grant Shelby access so the share could then be mapped as a drive on her
|
||||
workstation (MDIRECTOR-PC).
|
||||
|
||||
Work proceeded via GuruRMM against CS-SERVER (agent resolved live by hostname). A read-only
|
||||
discovery pass confirmed the folder existed (NTFS = inherited `Everyone:FullControl`), that it
|
||||
was NOT currently shared (no SMB share pointed at it or at `Public`), and that Shelby already
|
||||
had a domain account (`CASCADES\Shelby.Trozzi`, enabled). Howard chose the share name
|
||||
`Company Web Docs` (with spaces) and Read/Write (Change) access. Created the SMB share with
|
||||
`New-SmbShare` granting `CASCADES\Shelby.Trozzi` Change and `BUILTIN\Administrators` Full — the
|
||||
share ACL is the effective gate (NTFS left as inherited Everyone:Full), so Shelby's effective
|
||||
access is Change.
|
||||
|
||||
Discovered Shelby had never logged into her domain account (`logonCount = 0`, `lastLogon = never`)
|
||||
and there was no vaulted password for her. Confirmed her account is in
|
||||
`OU=Care-Memorycare,OU=Departments` with no `ConsistencyGuid` = NOT Entra-synced, so an on-prem
|
||||
password reset was safe (would not affect any M365 sign-in). Reset her password (first attempt
|
||||
`Shelby1173!` was rejected by AD complexity for containing her name; used `Cascades1173!` at
|
||||
Howard's direction to keep the `1173!` pattern), set never-expires / no change-at-logon, and
|
||||
vaulted it at `clients/cascades-tucson/shelby-trozzi.sops.yaml`.
|
||||
|
||||
Attempted to push the drive map to MDIRECTOR-PC (Win Home, not domain-joined) via RMM
|
||||
`user_session` context. The map failed with System error 67 (and `net view` with 1702) even with
|
||||
explicit credentials — the RMM agent's impersonated token has no network credential to reach
|
||||
CS-SERVER (double-hop; the documented "SMB error 67 RMM artifact"). Worked around it by storing
|
||||
the credential via `cmdkey` and planting a persistent map in her hive at `HKCU:\Network\W`, which
|
||||
reconnects at her next interactive logon. Howard then mapped the drive himself in Shelby's live
|
||||
session (ScreenConnect), confirming it mounted cleanly. Task complete.
|
||||
|
||||
## Key Decisions
|
||||
|
||||
- **Share name `Company Web Docs` (with spaces), Change access** — Howard's explicit choice via
|
||||
AskUserQuestion (offered WebDocs/CompanyWebDocs/exact-name and Read vs Read/Write).
|
||||
- **Gate at the share ACL, leave NTFS untouched** — folder already inherits `Everyone:FullControl`
|
||||
from `Public`; the new share is the only network path to it, so granting only Shelby + Admins at
|
||||
the share level limits access without disturbing the `Public` NTFS tree. Effective = Change.
|
||||
- **On-prem password reset deemed safe** — verified not Entra-synced (no ConsistencyGuid, OU not in
|
||||
sync scope), so reset does not ripple to M365.
|
||||
- **Password `Cascades1173!`** — `Shelby1173!` blocked by AD complexity (contains user name); kept
|
||||
the `1173!` numbers per Howard, swapped name part for `Cascades`.
|
||||
- **Planted HKCU map + cmdkey instead of live net use** — RMM cannot drive an outbound authenticated
|
||||
mount from the impersonated session; the registry/cmdkey approach mounts at next logon. Immediate
|
||||
visibility left to interactive session (Howard did it).
|
||||
|
||||
## Problems Encountered
|
||||
|
||||
- **RMM dispatch JSON malformed** (hand-escaped nested quotes) → jq parse error on response. Fix:
|
||||
build payload with `jq -n --arg` per the /rmm skill. Logged --friction.
|
||||
- **PowerShell parse errors from backslash-before-closing-quote** (`"W:\"`, `"W:\\"`) broke two
|
||||
dispatches (compile error = nothing ran). Fix: bare path tokens (`Test-Path W:\`) or single quotes.
|
||||
Logged --friction.
|
||||
- **AD password complexity rejection** — `Shelby1173!` contained her name; AD blocks names in
|
||||
passwords regardless of length/symbols. Resolved with `Cascades1173!`.
|
||||
- **SMB error 67 / RPC 1702 on the map** — RMM `user_session` impersonation double-hop; cannot make
|
||||
outbound authenticated SMB to CS-SERVER. Resolved via cmdkey + `HKCU:\Network\W` (mounts at logon),
|
||||
then Howard mapped it interactively. Logged --friction with ref to wiki SMB-error-67 note.
|
||||
- **Used raw `Set-ADAccountPassword` instead of GuruRMM User Manager** — memory
|
||||
`reference_gururmm_user_manager` says use the built-in User Manager for domain password resets.
|
||||
Result correct, not redone; logged --correction.
|
||||
- **Vault push rejected (non-fast-forward)** — remote had newer auto-sync commits; resolved with
|
||||
`git pull --rebase` then push.
|
||||
|
||||
## Configuration Changes
|
||||
|
||||
Created:
|
||||
- CS-SERVER SMB share `Company Web Docs` -> `D:\Shares\Public\Company Web Docs`
|
||||
(ACL: `CASCADES\Shelby.Trozzi` Change, `BUILTIN\Administrators` Full).
|
||||
- `D:/vault` `clients/cascades-tucson/shelby-trozzi.sops.yaml` (encrypted, committed + pushed).
|
||||
- `.claude/memory/reference_rmm_map_network_drive.md` + MEMORY.md index line.
|
||||
- MDIRECTOR-PC: `HKCU:\Network\W` persistent map keys (RemotePath/UserName/ProviderType 131072/
|
||||
ConnectionType 1/DeferFlags 4) + stored credential via `cmdkey /add:CS-SERVER`.
|
||||
|
||||
Modified on CS-SERVER:
|
||||
- `CASCADES\Shelby.Trozzi` password reset; PasswordNeverExpires True; ChangePasswordAtLogon False.
|
||||
|
||||
Repo:
|
||||
- `errorlog.md` — 2 friction + 1 correction entries (via log-skill-error.sh).
|
||||
- `.claude/current-mode` -> `clients/cascades-tucson`.
|
||||
|
||||
## Credentials & Secrets
|
||||
|
||||
- **CASCADES\Shelby.Trozzi** — domain login. Password: `Cascades1173!` (set 2026-07-02).
|
||||
UPN `Shelby.Trozzi@cascadestucson.com`. Never-expires, no change-at-logon. NOT Entra-synced
|
||||
(on-prem/SMB only, not M365). Vaulted: `clients/cascades-tucson/shelby-trozzi.sops.yaml`.
|
||||
|
||||
## Infrastructure & Servers
|
||||
|
||||
- **CS-SERVER** — Cascades DC (cascades.local). GuruRMM agent id `c39f1de7-d5b6-45ae-b132-e06977ab1713`
|
||||
(re-enrolls; resolve live). Reachable on 445 from MDIRECTOR-PC.
|
||||
- **MDIRECTOR-PC** — Shelby's workstation, Windows Home, NOT domain-joined. GuruRMM agent id
|
||||
`6b7990aa-edad-41c7-8f2d-5efdcaa41046`. Local user `mdirector-pc\shelby trozzi` (logged in since
|
||||
6/29/2026). Only C: drive prior to map; W: now mapped.
|
||||
- **New share UNC:** `\\CS-SERVER\Company Web Docs`.
|
||||
- GuruRMM API: `http://172.16.3.30:3001` (creds vault `infrastructure/gururmm-server.sops.yaml`).
|
||||
|
||||
## Commands & Outputs
|
||||
|
||||
- `New-SmbShare -Name "Company Web Docs" -Path "D:\Shares\Public\Company Web Docs" -FullAccess "BUILTIN\Administrators" -ChangeAccess "CASCADES\Shelby.Trozzi"` -> created; ACL verified.
|
||||
- `Set-ADAccountPassword -Identity Shelby.Trozzi -Reset ...` — first attempt `ADPasswordComplexityException` (1325) on `Shelby1173!`; succeeded with `Cascades1173!` (PasswordLastSet 7/2/2026).
|
||||
- Map attempt in user_session: `net use W: \\CS-SERVER\Company Web Docs` -> `System error 67`;
|
||||
`net view \\CS-SERVER` -> `System error 1702 (binding handle is invalid)`; `Test-Path` UNC -> False.
|
||||
- Fix: `cmdkey /add:CS-SERVER /user:CASCADES\Shelby.Trozzi /pass:...` -> "added successfully";
|
||||
`HKCU:\Network\W` keys written; `cmdkey /list:CS-SERVER` confirms stored Domain Password cred.
|
||||
- Howard mapped W: himself interactively afterward — mounted cleanly.
|
||||
|
||||
## Pending / Incomplete Tasks
|
||||
|
||||
- None. Share live, access granted, password vaulted, drive mapped and confirmed by Howard.
|
||||
- Future: additional users needing this share -> grant via `Grant-SmbShareAccess -Name "Company Web Docs"`.
|
||||
- Standing follow-up (unchanged): MDIRECTOR-PC is Win Home; domain join still blocked until Pro.
|
||||
|
||||
## Reference Information
|
||||
|
||||
- Vault: `clients/cascades-tucson/shelby-trozzi.sops.yaml`
|
||||
- Memory: `.claude/memory/reference_rmm_map_network_drive.md`
|
||||
- Wiki: `wiki/clients/cascades-tucson.md` (SMB-error-67 RMM-artifact note; Access section)
|
||||
- #dev-alerts message ids: 1522266883636854804 (share), 1522269030394626152 (pw reset),
|
||||
1522270727368343682 (drive map).
|
||||
- RMM command ids: share `df903ca8`, pw reset `86ef25a6`, map plant `dec3d11c`.
|
||||
12
errorlog.md
12
errorlog.md
@@ -21,10 +21,22 @@ Categories (the `[type]` tag): _(none)_ = skill/command execution failure ·
|
||||
|
||||
2026-07-02 | GURU-BEAST-ROG | self-check/registry-trim | [friction] trimmed skill registry locally while GURU-5070 shipped the same trim upstream; auto-sync merge raced my uncommitted edits (transient UU state, stale 15777 reading mid-merge); fix: check coord / claim a lock before fleet-wide harness edits [ctx: ref=coord-locks]
|
||||
|
||||
2026-07-02 | Howard-Home | rmm/user-manager | [correction] reset Shelby.Trozzi domain password with raw Set-ADAccountPassword via /rmm; memory reference_gururmm_user_manager says use the built-in GuruRMM User Manager (reset_password action, is_dc) instead. [ctx: ref=reference_gururmm_user_manager]
|
||||
|
||||
2026-07-02 | Howard-Home | rmm/powershell | [friction] PowerShell parse errors from backslash-before-closing-quote ("W:" and "W:\") in RMM payloads; wasted 2 dispatches. Fix: use bare path tokens (Test-Path W:) or single-quotes, never a quoted string ending in a backslash.
|
||||
|
||||
2026-07-02 | Howard-Home | rmm/powershell | [friction] net use via RMM user_session to remote CS-SERVER failed err67/1702 (impersonated token has no network credential = double-hop); documented as 'SMB error 67 RMM artifact'. Fix: plant HKCU:Network<drv> keys + cmdkey; drive mounts at next interactive logon. [ctx: ref=wiki/clients/cascades-tucson SMB-error-67]
|
||||
|
||||
2026-07-02 | Howard-Home | rmm/bash | [friction] hand-escaped nested JSON payload for /api/agents/command; server rejected + jq parse-errored the response. Fix: build payload with jq -n --arg (skill already mandates this for multi-line scripts). [ctx: ref=rmm.md-multiline-heredoc]
|
||||
|
||||
2026-07-02 | Howard-Home | rmm/inventory | [friction] censused ARP as SYSTEM reading HKCU (=SYSTEM profile), missed per-user installs + falsely concluded no programs removed; must enumerate all HKU* user hives
|
||||
|
||||
2026-07-02 | GURU-5070 | bash/env | [friction] referenced $RMM/$TOKEN from prior Bash call; env does not persist between calls - re-auth inline [ctx: ref=CLAUDE.md shell-env rule]
|
||||
|
||||
2026-07-02 | GURU-5070 | cargo/windows-msvc-linker | [friction] cargo check on GURU-5070 fails 'linker link.exe not found' (MSVC linker not on PATH / vcvars64.bat not found under VS roots) - blocks local server typecheck; memory reference_guru5070_rust_toolchain claims MSVC present. Build on the pipeline/Linux host instead. [ctx: ref=reference_guru5070_rust_toolchain host=GURU-5070]
|
||||
|
||||
2026-07-01 | Howard-Home | rmm/powershell | [friction] interpolated string "$i:..." parsed as drive-qualified variable (InvalidVariableReferenceWithDrive) -> use ${i}; cost one round-trip dispatch
|
||||
|
||||
2026-07-01 | GURU-5070 | bash/msys-pathconv | [friction] cmd.exe /c from Git-bash: MSYS converted /c to C: and opened an interactive cmd (2min timeout); use powershell.exe directly or MSYS_NO_PATHCONV=1 [ctx: ref=msys-path-conversion-family]
|
||||
|
||||
2026-07-01 | GURU-5070 | bash/jq-windows | [friction] jq --rawfile with /dev/stdin fails on Windows jq (no /proc); build JSON from a shell var with jq -n --arg instead
|
||||
|
||||
Reference in New Issue
Block a user