From 26f47fdd103550140a72af0e53f4f65454d82a8e Mon Sep 17 00:00:00 2001 From: Howard Enos Date: Thu, 2 Jul 2026 09:09:05 -0700 Subject: [PATCH] sync: auto-sync from HOWARD-HOME at 2026-07-02 09:08:36 Author: Howard Enos Machine: HOWARD-HOME Timestamp: 2026-07-02 09:08:36 --- .claude/memory/MEMORY.md | 1 + .../memory/reference_rmm_map_network_drive.md | 19 +++ .../2026-07-02-howard-shelby-webdocs-share.md | 129 ++++++++++++++++++ errorlog.md | 12 ++ 4 files changed, 161 insertions(+) create mode 100644 .claude/memory/reference_rmm_map_network_drive.md create mode 100644 clients/cascades-tucson/session-logs/2026-07/2026-07-02-howard-shelby-webdocs-share.md diff --git a/.claude/memory/MEMORY.md b/.claude/memory/MEMORY.md index 3f499775..247d05eb 100644 --- a/.claude/memory/MEMORY.md +++ b/.claude/memory/MEMORY.md @@ -4,6 +4,7 @@ - [ACG resource map](reference_resource_map.md) — **READ THIS FIRST** when a task references a server/service/tenant/API. What we have access to, how to connect from this machine, per-machine exceptions, gotchas. Points at the detail files below. - [ALIS (Medtelligent)](reference_alis_medtelligent.md) — Cascades assisted-living EHR. API host api.alisonline.com, community 622; username must be tenant-qualified (howard.enos@cascadestucson). Staff are READ-ONLY via API — create/change staff via web-UI Staff Import .xls. Use the `alis` skill. - [GuruRMM User Manager](reference_gururmm_user_manager.md) — GuruRMM has a built-in per-agent User Manager tab (reset_password/enable/disable/groups for local+domain+AAD endpoint users; domain users only on a DC via `is_dc`). Use it, NOT raw Set-ADAccountPassword via /rmm. Endpoints: /api/agents/{id}/users + /users/action. +- [RMM map network drive (err67 double-hop)](reference_rmm_map_network_drive.md) — Pushing a persistent mapped drive to a remote share via /rmm user_session fails with err67/1702 (impersonated token = no network cred/double-hop). Plant HKCU:\Network\ keys + cmdkey; mounts at next interactive logon. Immediate visibility needs the live session (ScreenConnect). - [exchange-op = all-access Exchange tier](feedback_exchange_op_all_access.md) — STOP claiming "no tier can write mail." Exchange Operator app = Exchange Admin role + full_access_as_app + Exchange.ManageAsApp = full all-access (move mail, rules, config, EWS). Default to `exchange-op` for any Exchange write. - [Tedards tenant facts](reference_tedards_tenant_facts.md) — Bill Tedards law office; tenant `4fcbb1f4…`; bt@/y226@ mailboxes; matter-number filing; UAL ingestion OFF; 9 synced devices; botched-import DUPLICATE folder. - [Investigator EXO ManageAsApp gap](reference_investigator_exo_manageasapp_gap.md) — Security Investigator app lacks `Exchange.ManageAsApp` (only `full_access_as_app`) so `investigator-exo` 401s on EXO adminapi; use `exchange-op` tier for InvokeCommand. diff --git a/.claude/memory/reference_rmm_map_network_drive.md b/.claude/memory/reference_rmm_map_network_drive.md new file mode 100644 index 00000000..7fdd8191 --- /dev/null +++ b/.claude/memory/reference_rmm_map_network_drive.md @@ -0,0 +1,19 @@ +--- +name: reference_rmm_map_network_drive +description: How to push a persistent mapped network drive to a machine via GuruRMM when net use fails with error 67 (double-hop) +metadata: + type: reference +--- + +Pushing a **persistent mapped drive** to an endpoint via the GuruRMM agent (`/rmm`) fails when the target share is on a *remote* server: + +- Running `net use` in `context: user_session` impersonates the logged-on user, but that WTS-impersonated token has **no network credential** to make the second hop to the file server. Result: `System error 67 (network name cannot be found)` on `net use` and `System error 1702 (binding handle is invalid)` on `net view` — even with explicit `/user:.. `. This is the "SMB error 67 = RMM artifact" documented in `wiki/clients/cascades-tucson.md` (server + share are healthy; access works in a real interactive session). + +**Reliable workaround — plant the map so it mounts at the user's next real logon:** +1. `cmdkey /add: /user: /pass:` in `user_session` — this is a *local* write to the user's Credential Manager and DOES succeed. +2. Write the persistent-map registry keys into the user's hive `HKCU:\Network\`: `RemotePath` (REG_SZ, `\\SERVER\Share`), `UserName` (REG_SZ, `DOMAIN\user`), `ProviderName` (`Microsoft Windows Network`), `ProviderType` (DWord `131072`), `ConnectionType` (DWord `1`), `DeferFlags` (DWord `4`). +3. At the user's **next interactive logon / reboot**, Windows reconnects the drive silently using the cmdkey credential. It will NOT appear in an already-open session — for immediate visibility, run `net use : "\\SERVER\Share"` in the *live* interactive session (ScreenConnect), not through the RMM agent. + +Non-domain-joined (workgroup) endpoints authenticate with `DOMAIN\user` + password saved via cmdkey — the domain account only needs to exist and be reachable, the client PC does not need to be joined. + +PowerShell-in-RMM gotcha hit while doing this: a double-quoted string ending in a backslash (`"W:\"`, `"W:\\"`) breaks the parser — use bare path tokens (`Test-Path W:\`) or single quotes. See [[feedback_windows_quote_stripping]]. diff --git a/clients/cascades-tucson/session-logs/2026-07/2026-07-02-howard-shelby-webdocs-share.md b/clients/cascades-tucson/session-logs/2026-07/2026-07-02-howard-shelby-webdocs-share.md new file mode 100644 index 00000000..0ba3cdcb --- /dev/null +++ b/clients/cascades-tucson/session-logs/2026-07/2026-07-02-howard-shelby-webdocs-share.md @@ -0,0 +1,129 @@ +# Cascades - Shelby Trozzi "Company Web Docs" share + mapped drive + +## User +- **User:** Howard Enos (howard) +- **Machine:** Howard-Home +- **Role:** tech + +## Session Summary + +Set up file-share access for Shelby Trozzi (MemCare Director) to the "Company Web Docs" +folder on CS-SERVER (Cascades DC). The request was to make `D:\Shares\Public\Company Web Docs` +an SMB share and grant Shelby access so the share could then be mapped as a drive on her +workstation (MDIRECTOR-PC). + +Work proceeded via GuruRMM against CS-SERVER (agent resolved live by hostname). A read-only +discovery pass confirmed the folder existed (NTFS = inherited `Everyone:FullControl`), that it +was NOT currently shared (no SMB share pointed at it or at `Public`), and that Shelby already +had a domain account (`CASCADES\Shelby.Trozzi`, enabled). Howard chose the share name +`Company Web Docs` (with spaces) and Read/Write (Change) access. Created the SMB share with +`New-SmbShare` granting `CASCADES\Shelby.Trozzi` Change and `BUILTIN\Administrators` Full — the +share ACL is the effective gate (NTFS left as inherited Everyone:Full), so Shelby's effective +access is Change. + +Discovered Shelby had never logged into her domain account (`logonCount = 0`, `lastLogon = never`) +and there was no vaulted password for her. Confirmed her account is in +`OU=Care-Memorycare,OU=Departments` with no `ConsistencyGuid` = NOT Entra-synced, so an on-prem +password reset was safe (would not affect any M365 sign-in). Reset her password (first attempt +`Shelby1173!` was rejected by AD complexity for containing her name; used `Cascades1173!` at +Howard's direction to keep the `1173!` pattern), set never-expires / no change-at-logon, and +vaulted it at `clients/cascades-tucson/shelby-trozzi.sops.yaml`. + +Attempted to push the drive map to MDIRECTOR-PC (Win Home, not domain-joined) via RMM +`user_session` context. The map failed with System error 67 (and `net view` with 1702) even with +explicit credentials — the RMM agent's impersonated token has no network credential to reach +CS-SERVER (double-hop; the documented "SMB error 67 RMM artifact"). Worked around it by storing +the credential via `cmdkey` and planting a persistent map in her hive at `HKCU:\Network\W`, which +reconnects at her next interactive logon. Howard then mapped the drive himself in Shelby's live +session (ScreenConnect), confirming it mounted cleanly. Task complete. + +## Key Decisions + +- **Share name `Company Web Docs` (with spaces), Change access** — Howard's explicit choice via + AskUserQuestion (offered WebDocs/CompanyWebDocs/exact-name and Read vs Read/Write). +- **Gate at the share ACL, leave NTFS untouched** — folder already inherits `Everyone:FullControl` + from `Public`; the new share is the only network path to it, so granting only Shelby + Admins at + the share level limits access without disturbing the `Public` NTFS tree. Effective = Change. +- **On-prem password reset deemed safe** — verified not Entra-synced (no ConsistencyGuid, OU not in + sync scope), so reset does not ripple to M365. +- **Password `Cascades1173!`** — `Shelby1173!` blocked by AD complexity (contains user name); kept + the `1173!` numbers per Howard, swapped name part for `Cascades`. +- **Planted HKCU map + cmdkey instead of live net use** — RMM cannot drive an outbound authenticated + mount from the impersonated session; the registry/cmdkey approach mounts at next logon. Immediate + visibility left to interactive session (Howard did it). + +## Problems Encountered + +- **RMM dispatch JSON malformed** (hand-escaped nested quotes) → jq parse error on response. Fix: + build payload with `jq -n --arg` per the /rmm skill. Logged --friction. +- **PowerShell parse errors from backslash-before-closing-quote** (`"W:\"`, `"W:\\"`) broke two + dispatches (compile error = nothing ran). Fix: bare path tokens (`Test-Path W:\`) or single quotes. + Logged --friction. +- **AD password complexity rejection** — `Shelby1173!` contained her name; AD blocks names in + passwords regardless of length/symbols. Resolved with `Cascades1173!`. +- **SMB error 67 / RPC 1702 on the map** — RMM `user_session` impersonation double-hop; cannot make + outbound authenticated SMB to CS-SERVER. Resolved via cmdkey + `HKCU:\Network\W` (mounts at logon), + then Howard mapped it interactively. Logged --friction with ref to wiki SMB-error-67 note. +- **Used raw `Set-ADAccountPassword` instead of GuruRMM User Manager** — memory + `reference_gururmm_user_manager` says use the built-in User Manager for domain password resets. + Result correct, not redone; logged --correction. +- **Vault push rejected (non-fast-forward)** — remote had newer auto-sync commits; resolved with + `git pull --rebase` then push. + +## Configuration Changes + +Created: +- CS-SERVER SMB share `Company Web Docs` -> `D:\Shares\Public\Company Web Docs` + (ACL: `CASCADES\Shelby.Trozzi` Change, `BUILTIN\Administrators` Full). +- `D:/vault` `clients/cascades-tucson/shelby-trozzi.sops.yaml` (encrypted, committed + pushed). +- `.claude/memory/reference_rmm_map_network_drive.md` + MEMORY.md index line. +- MDIRECTOR-PC: `HKCU:\Network\W` persistent map keys (RemotePath/UserName/ProviderType 131072/ + ConnectionType 1/DeferFlags 4) + stored credential via `cmdkey /add:CS-SERVER`. + +Modified on CS-SERVER: +- `CASCADES\Shelby.Trozzi` password reset; PasswordNeverExpires True; ChangePasswordAtLogon False. + +Repo: +- `errorlog.md` — 2 friction + 1 correction entries (via log-skill-error.sh). +- `.claude/current-mode` -> `clients/cascades-tucson`. + +## Credentials & Secrets + +- **CASCADES\Shelby.Trozzi** — domain login. Password: `Cascades1173!` (set 2026-07-02). + UPN `Shelby.Trozzi@cascadestucson.com`. Never-expires, no change-at-logon. NOT Entra-synced + (on-prem/SMB only, not M365). Vaulted: `clients/cascades-tucson/shelby-trozzi.sops.yaml`. + +## Infrastructure & Servers + +- **CS-SERVER** — Cascades DC (cascades.local). GuruRMM agent id `c39f1de7-d5b6-45ae-b132-e06977ab1713` + (re-enrolls; resolve live). Reachable on 445 from MDIRECTOR-PC. +- **MDIRECTOR-PC** — Shelby's workstation, Windows Home, NOT domain-joined. GuruRMM agent id + `6b7990aa-edad-41c7-8f2d-5efdcaa41046`. Local user `mdirector-pc\shelby trozzi` (logged in since + 6/29/2026). Only C: drive prior to map; W: now mapped. +- **New share UNC:** `\\CS-SERVER\Company Web Docs`. +- GuruRMM API: `http://172.16.3.30:3001` (creds vault `infrastructure/gururmm-server.sops.yaml`). + +## Commands & Outputs + +- `New-SmbShare -Name "Company Web Docs" -Path "D:\Shares\Public\Company Web Docs" -FullAccess "BUILTIN\Administrators" -ChangeAccess "CASCADES\Shelby.Trozzi"` -> created; ACL verified. +- `Set-ADAccountPassword -Identity Shelby.Trozzi -Reset ...` — first attempt `ADPasswordComplexityException` (1325) on `Shelby1173!`; succeeded with `Cascades1173!` (PasswordLastSet 7/2/2026). +- Map attempt in user_session: `net use W: \\CS-SERVER\Company Web Docs` -> `System error 67`; + `net view \\CS-SERVER` -> `System error 1702 (binding handle is invalid)`; `Test-Path` UNC -> False. +- Fix: `cmdkey /add:CS-SERVER /user:CASCADES\Shelby.Trozzi /pass:...` -> "added successfully"; + `HKCU:\Network\W` keys written; `cmdkey /list:CS-SERVER` confirms stored Domain Password cred. +- Howard mapped W: himself interactively afterward — mounted cleanly. + +## Pending / Incomplete Tasks + +- None. Share live, access granted, password vaulted, drive mapped and confirmed by Howard. +- Future: additional users needing this share -> grant via `Grant-SmbShareAccess -Name "Company Web Docs"`. +- Standing follow-up (unchanged): MDIRECTOR-PC is Win Home; domain join still blocked until Pro. + +## Reference Information + +- Vault: `clients/cascades-tucson/shelby-trozzi.sops.yaml` +- Memory: `.claude/memory/reference_rmm_map_network_drive.md` +- Wiki: `wiki/clients/cascades-tucson.md` (SMB-error-67 RMM-artifact note; Access section) +- #dev-alerts message ids: 1522266883636854804 (share), 1522269030394626152 (pw reset), + 1522270727368343682 (drive map). +- RMM command ids: share `df903ca8`, pw reset `86ef25a6`, map plant `dec3d11c`. diff --git a/errorlog.md b/errorlog.md index ca9b81c6..4ba4db4e 100644 --- a/errorlog.md +++ b/errorlog.md @@ -21,10 +21,22 @@ Categories (the `[type]` tag): _(none)_ = skill/command execution failure · 2026-07-02 | GURU-BEAST-ROG | self-check/registry-trim | [friction] trimmed skill registry locally while GURU-5070 shipped the same trim upstream; auto-sync merge raced my uncommitted edits (transient UU state, stale 15777 reading mid-merge); fix: check coord / claim a lock before fleet-wide harness edits [ctx: ref=coord-locks] +2026-07-02 | Howard-Home | rmm/user-manager | [correction] reset Shelby.Trozzi domain password with raw Set-ADAccountPassword via /rmm; memory reference_gururmm_user_manager says use the built-in GuruRMM User Manager (reset_password action, is_dc) instead. [ctx: ref=reference_gururmm_user_manager] + +2026-07-02 | Howard-Home | rmm/powershell | [friction] PowerShell parse errors from backslash-before-closing-quote ("W:" and "W:\") in RMM payloads; wasted 2 dispatches. Fix: use bare path tokens (Test-Path W:) or single-quotes, never a quoted string ending in a backslash. + +2026-07-02 | Howard-Home | rmm/powershell | [friction] net use via RMM user_session to remote CS-SERVER failed err67/1702 (impersonated token has no network credential = double-hop); documented as 'SMB error 67 RMM artifact'. Fix: plant HKCU:Network keys + cmdkey; drive mounts at next interactive logon. [ctx: ref=wiki/clients/cascades-tucson SMB-error-67] + +2026-07-02 | Howard-Home | rmm/bash | [friction] hand-escaped nested JSON payload for /api/agents/command; server rejected + jq parse-errored the response. Fix: build payload with jq -n --arg (skill already mandates this for multi-line scripts). [ctx: ref=rmm.md-multiline-heredoc] + +2026-07-02 | Howard-Home | rmm/inventory | [friction] censused ARP as SYSTEM reading HKCU (=SYSTEM profile), missed per-user installs + falsely concluded no programs removed; must enumerate all HKU* user hives + 2026-07-02 | GURU-5070 | bash/env | [friction] referenced $RMM/$TOKEN from prior Bash call; env does not persist between calls - re-auth inline [ctx: ref=CLAUDE.md shell-env rule] 2026-07-02 | GURU-5070 | cargo/windows-msvc-linker | [friction] cargo check on GURU-5070 fails 'linker link.exe not found' (MSVC linker not on PATH / vcvars64.bat not found under VS roots) - blocks local server typecheck; memory reference_guru5070_rust_toolchain claims MSVC present. Build on the pipeline/Linux host instead. [ctx: ref=reference_guru5070_rust_toolchain host=GURU-5070] +2026-07-01 | Howard-Home | rmm/powershell | [friction] interpolated string "$i:..." parsed as drive-qualified variable (InvalidVariableReferenceWithDrive) -> use ${i}; cost one round-trip dispatch + 2026-07-01 | GURU-5070 | bash/msys-pathconv | [friction] cmd.exe /c from Git-bash: MSYS converted /c to C: and opened an interactive cmd (2min timeout); use powershell.exe directly or MSYS_NO_PATHCONV=1 [ctx: ref=msys-path-conversion-family] 2026-07-01 | GURU-5070 | bash/jq-windows | [friction] jq --rawfile with /dev/stdin fails on Windows jq (no /proc); build JSON from a shell var with jq -n --arg instead