From 42c8b232cdb5c45e57825a83f620b2355f5cbcde Mon Sep 17 00:00:00 2001 From: Howard Enos Date: Thu, 25 Jun 2026 19:49:08 -0700 Subject: [PATCH] sync: auto-sync from HOWARD-HOME at 2026-06-25 19:48:41 Author: Howard Enos Machine: HOWARD-HOME Timestamp: 2026-06-25 19:48:41 --- ...06-25-howard-nick-smb-share-and-mac-rmm.md | 152 ++++++++++++++++++ 1 file changed, 152 insertions(+) create mode 100644 clients/rednour/session-logs/2026-06/2026-06-25-howard-nick-smb-share-and-mac-rmm.md diff --git a/clients/rednour/session-logs/2026-06/2026-06-25-howard-nick-smb-share-and-mac-rmm.md b/clients/rednour/session-logs/2026-06/2026-06-25-howard-nick-smb-share-and-mac-rmm.md new file mode 100644 index 00000000..81b5cdd6 --- /dev/null +++ b/clients/rednour/session-logs/2026-06/2026-06-25-howard-nick-smb-share-and-mac-rmm.md @@ -0,0 +1,152 @@ +## User +- **User:** Howard Enos (howard) +- **Machine:** Howard-Home +- **Role:** tech + +## Session Summary + +Set up the long-deferred shared-drive access for Nick Pafford at Rednour Law Offices (Syncro +#32343, open as a P2 item since 2026-05-31). The "shared drive" was never pinned down in prior +sessions; this session identified it as the **`Documents` SMB share on REDNOURCARRIEVI** +(`C:\Users\Carrie\Documents`) by running `Get-SmbShare` across all three GuruRMM-enrolled +workstations. Rednour is a workgroup (no AD), so access requires a local Windows account on that +PC; the share was previously reached only via the local `emma` account (an active local account, +unrelated to the M365 Emma->Carla mailbox rename). + +After confirming the target with Howard and collecting decisions (dedicated account, Modify +access, LAN connectivity, Apple Silicon Mac), created a dedicated standard local account `nick` +on REDNOURCARRIEVI with PasswordNeverExpires, granted **share = Change** and **NTFS = Modify** +on the Documents folder. The credential was vaulted at +`clients/rednour/nick-smb-rednourcarrievi.sops.yaml`. Howard mounted the share on Nick's Apple +Silicon Mac onsite (`smb://192.168.10.194/Documents`) and confirmed it working. + +The GuruRMM macOS agent install on Nick's Mac failed. Server-side checks showed the install +script + binary endpoints both return HTTP 200 (3.96 MB single-arch aarch64), so the artifact is +served fine. Root-cause hypothesis: the served aarch64 binary is **unsigned**, and Apple Silicon +SIGKILLs unsigned Mach-O binaries, so the LaunchDaemon never runs. The repo has +`agent/build-macos-signed.sh` (signs with Mike's Developer ID + notarizes) alongside the plain +unsigned `agent/build-macos.sh` — the server is almost certainly publishing the unsigned one. +Flagged via coord todo (project gururmm) and in the wiki; deferred for a fix (Howard only had a +limited ScreenConnect support session). + +Documentation was updated: wiki `clients/rednour.md` (Nick share marked done, new File Shares +section, macOS-unsigned-agent known issue, return-visit + RMM-fail open items), an errorlog +friction entry, and a new memory on the RMM Set-Acl timeout. Billing and the Syncro internal +note were explicitly deferred to tomorrow per Howard — no Syncro writes were made this session. + +## Key Decisions + +- **Dedicated `nick` local account** over reusing the existing `emma`/`localadmin` creds — per-user + accountability; `emma` is confusingly named and `localadmin` is over-privileged. +- **Modify (read/write)** on the Documents share, matching a normal working-folder need. +- **Generate the password locally in the Bash tool and inject via placeholder** after two RMM + command timeouts lost the on-box-generated password (stdout is dropped on timeout). Final + password was set to a Howard-specified value. +- **NTFS grant via `icacls` (folder-only ACE, inheritance handles children)** instead of + PowerShell `Set-Acl` re-stamping the whole tree, which was the step that timed out. +- **Defer all Syncro billing + the internal note to tomorrow** (Howard's call). Noted that Syncro + supports multiple invoices per ticket, so the already-Invoiced #32343 can still take a new + invoice for today's onsite labor. +- **Updated the wiki directly** (vs `/wiki-compile`) at Howard's request, given the targeted + factual changes and that he was wrapping up onsite. + +## Problems Encountered + +- **RMM command timeouts on ACL propagation.** PowerShell `Set-Acl` with inheritance on Carrie's + large Documents tree exceeded `timeout_seconds` (90s, then 120s); since stdout is dropped on + timeout, the randomly-generated password printed in the same script was lost twice. Resolved by + generating the password locally (retained regardless of timeout), setting it in an isolated + fast command, and applying the NTFS ACE with `icacls` (no `/T`). Logged to errorlog (`rmm/acl`, + --friction) and saved as memory `feedback_rmm_setacl_timeout_password_loss`. +- **GuruRMM macOS agent did not install** on Nick's Apple Silicon Mac — server serves the binary + fine; hypothesis is the served aarch64 binary is unsigned (SIGKILL on Apple Silicon). Deferred; + coord todo filed. +- **Ticket #32343 is `Invoiced`, not `Resolved`** (wiki was stale). A new labor line would not + land on the existing invoice; surfaced to Howard, who deferred billing to tomorrow. + +## Configuration Changes + +**REDNOURCARRIEVI (client machine, via GuruRMM):** +- Created local user `nick` (FullName "Nick Pafford", standard user, member of Users, + PasswordNeverExpires, AccountNeverExpires). +- `Documents` SMB share: granted `REDNOURCARRIEVI\nick` = Change. +- NTFS on `C:\Users\Carrie\Documents`: granted `REDNOURCARRIEVI\nick` = Modify (OI)(CI). + +**ClaudeTools repo (committed + pushed):** +- `wiki/clients/rednour.md` — Nick share done; File Shares section; macOS-unsigned known issue; + return-visit + RMM-fail open items; contact row updated. +- `errorlog.md` — rmm/acl friction entry. +- `.claude/memory/feedback_rmm_setacl_timeout_password_loss.md` + `.claude/memory/MEMORY.md` index. + +**Vault repo (committed + pushed):** +- `clients/rednour/nick-smb-rednourcarrievi.sops.yaml` — new credential entry. + +## Credentials & Secrets + +- **Nick Pafford SMB account** — `REDNOURCARRIEVI\nick` / `Kg5Qe2Kc3` (PasswordNeverExpires). + Vaulted at `clients/rednour/nick-smb-rednourcarrievi.sops.yaml`. For SMB access to + `\\REDNOURCARRIEVI\Documents` (share=Change, NTFS=Modify). Mac mount: + `smb://192.168.10.194/Documents`. + +## Infrastructure & Servers + +- **REDNOURCARRIEVI** — Carrie Rednour's workstation; 192.168.10.194 (LAN) / 10.147.17.253 + (ZeroTier). GuruRMM agent id `8e4e2221-7e2a-4a6f-9eda-864568539961`, client "Rednour Law + Offices", site "Main". +- **SMB shares on REDNOURCARRIEVI:** `Documents` + `ShareName` (both -> `C:\Users\Carrie\Documents`), + `Time Matters Shared Files`, `Timeslips`, `Program Files sage`, `Users`, `New folder`. Several + over-broad (Everyone=Full on Program Files/Users/Time Matters) — security cleanup candidate. +- **Local accounts on REDNOURCARRIEVI:** Carrie, emma (active), localadmin, guru, + QBDataServiceUser26, + new `nick`. +- **GuruRMM macOS install (site GREEN-FALCON-7214):** install script + `https://rmm.azcomputerguru.com/install/GREEN-FALCON-7214/macos` (HTTP 200); binary + `.../download/macos` (HTTP 200, 3.96 MB, single-arch aarch64, default Apple Silicon). +- **Rednour (Syncro):** customer "Rednour Law" id 1224246, prepay_hours 0.0; ticket #32343 + (id 111409967) status Invoiced, owner Mike (1735). + +## Commands & Outputs + +```bash +# RMM auth + find Rednour agents +eval "$(bash .claude/scripts/rmm-auth.sh)" +# Get-SmbShare across 3 PCs -> Documents share on REDNOURCARRIEVI = C:\Users\Carrie\Documents + +# Create account + share grant (share succeeded; Set-Acl timed out) +New-LocalUser nick / Grant-SmbShareAccess Documents Change / Set-Acl (TIMEOUT 90s) + +# Recover: set known password (fast), apply NTFS via icacls (folder ACE) +Set-LocalUser nick -Password Kg5Qe2Kc3 -PasswordNeverExpires $true # OK +icacls "C:\Users\Carrie\Documents" /grant "REDNOURCARRIEVI\nick:(OI)(CI)M" + +# Vault +bash .claude/skills/vault/scripts/vault-helper.sh new clients/rednour/nick-smb-rednourcarrievi ... + +# Coord todo (gururmm macOS signing fix) +coord.py todo add "GuruRMM macOS agent install fails on Apple Silicon ..." --project gururmm +# id=6f2d22be-e653-48c8-9f9b-0155420b315d +``` + +## Pending / Incomplete Tasks + +- **Syncro #32343 billing — tomorrow.** 0.5h onsite labor (product 26118, $175/hr, $87.50) for + today's share setup, plus the internal work note. Deferred by Howard. Ticket is Invoiced; + attach a new invoice (Syncro allows multiple per ticket). prepay_hours 0.0. +- **Fix GuruRMM macOS agent for Apple Silicon** (coord todo 6f2d22be) — serve the signed+notarized + arm64 binary (build-macos-signed.sh) or ad-hoc `codesign -s -` in the install script. Then enroll + Nick's Mac. Confirm root cause with Mac log (`killed: 9` / `sudo /usr/local/bin/gururmm-agent run`). +- **Auto-reconnect on Nick's Mac** — add the mounted Documents volume to System Settings > General > + Login Items (the "+" in Connect to Server only adds a Favorite, not auto-mount). To be done in + Nick's user session. +- **Return visit** — phone + printer setup at Rednour; may require running a new wire / installing a + switch. +- **Security cleanup (lower priority):** over-broad Everyone=Full shares on REDNOURCARRIEVI. + +## Reference Information + +- Syncro ticket #32343: https://computerguru.syncromsp.com/tickets/111409967 +- Vault: `clients/rednour/nick-smb-rednourcarrievi.sops.yaml` +- Coord todo: 6f2d22be-e653-48c8-9f9b-0155420b315d (project gururmm) +- GuruRMM agent (REDNOURCARRIEVI): 8e4e2221-7e2a-4a6f-9eda-864568539961 +- macOS build scripts: `projects/msp-tools/guru-rmm/agent/build-macos.sh` (unsigned), + `build-macos-signed.sh` (Developer ID: MICHAEL PHILLIP SWANSON N2LVAL4LQP), `build-macos-pkg.sh` +- Memory: `.claude/memory/feedback_rmm_setacl_timeout_password_loss.md`