sync: auto-sync from GURU-5070 at 2026-06-11 08:10:50
Author: Mike Swanson Machine: GURU-5070 Timestamp: 2026-06-11 08:10:50
This commit is contained in:
@@ -6,11 +6,22 @@ type: feedback
|
||||
|
||||
When diagnosing remote file-share or network-printer reachability, do NOT trust results from
|
||||
GuruRMM `net use` / `net view` / `Add-Printer -ConnectionName \\HOST\...` — including in
|
||||
`context: user_session`. That context is a **WTS-impersonated, non-interactive token**, which
|
||||
cannot stand up an authenticated SMB session to a remote server. It returns **System error 67
|
||||
("network name cannot be found")** and **RPC 1702 ("binding handle invalid")** regardless of how
|
||||
healthy the path is — and even when you pass explicit valid credentials. It is not measuring what
|
||||
the logged-on user actually sees.
|
||||
`context: user_session`. Empirically it returns **System error 67 ("network name cannot be found")**
|
||||
and **RPC 1702 ("binding handle invalid")** for shares/printers that work fine in the user's real
|
||||
interactive logon — even when you pass explicit valid credentials. Treat its SMB results as
|
||||
**"can't tell," not "broken"**; verify in the real session (ScreenConnect).
|
||||
|
||||
**Root cause is NOT a naive impersonation/double-hop defect (corrected 2026-06-11).** The agent's
|
||||
`run_command_in_session` (`agent/src/watchdog/wts.rs`) uses the textbook-correct pattern —
|
||||
`WTSQueryUserToken` → `DuplicateTokenEx(TokenPrimary)` → `CreateProcessAsUserW` — and `whoami`
|
||||
confirms commands genuinely run AS the user in their session. And error 67 persists even with
|
||||
**explicit** `/user:.. <pw>` creds, which rules out a missing-network-credential/SSO gap. So the
|
||||
mechanism runs as the user correctly; the SMB failure is a subtler, still-unresolved behavior of
|
||||
the spawned-process context. Leading suspects: **UAC split token** (WTSQueryUserToken may return the
|
||||
filtered token while printer/SMB state lives on the linked token — the `EnableLinkedConnections`
|
||||
family of bug), or a missing **window station / `lpDesktop` / loaded user profile** changing
|
||||
redirector/MUP behavior. Tracked as a GuruRMM engineering item (RMM_THOUGHTS). Until pinned, the
|
||||
practical rule above stands.
|
||||
|
||||
**Why:** Mike, 2026-06-11 (Wolkin / RSW-Laptop printer). Julie reported "no printers." Over RMM I
|
||||
verified ZeroTier up, name resolution, TCP 445/139 open, MTU 2800 full DF packets, FRONT spooler
|
||||
|
||||
@@ -88,7 +88,7 @@ backlinks: []
|
||||
## Patterns & Known Issues
|
||||
- **macOS Syncro JSON parsing:** Syncro customer lookup from Mac failed due to JSON parsing issues (2026-06-07). Use Windows PC for Syncro API operations or manual web portal lookups.
|
||||
- **ZeroTier print RPC needs Private profile:** File-and-Printer-Sharing inbound rules (incl. Print Spooler RPC) apply to the Private profile only. The ZeroTier interface was Public on both FRONT and RSW-Laptop, which blocked print/RPC over ZT while file SMB still worked. Fix: set the ZT interface Private on both ends. (Confirmed still Private both ends 2026-06-11.)
|
||||
- **[MEASUREMENT ARTIFACT — not a real fault] SMB/printer tests via the GuruRMM agent give FALSE error 67 / RPC 1702; the real interactive session works.** The printer to `\\front\Sharp` **works** for Julie when she is logged in (confirmed 2026-06-11 by remoting in). But every SMB test run through the **GuruRMM agent's `user_session` context fails** — `net use \\FRONT\IPC$` (and by IP) → System error 67, `net view` → RPC 1702, `Add-Printer -ConnectionName` → 67 — **even with valid `FRONT\julie` creds.** Cause: RMM `user_session` is a **WTS-impersonated, non-interactive token**, which cannot establish an authenticated SMB session to a remote host (the network second-hop/credential context isn't there). It is NOT measuring what Julie's real logon sees. The underlying plumbing is genuinely fine (ZeroTier up, 445/139 open, MTU 2800 full DF, FRONT shared + Private + SMB-In, bindings present) — which is why it prints interactively. **Rule: do NOT use RMM `net use`/`net view`/`Add-Printer` to judge SMB/printer health to a remote host — its 67/1702 means "can't tell," not "broken." Verify via the real session (ScreenConnect).** The 2026-06-07 "wall" was this same artifact (Mike's "manual fix" worked only because it was interactive). See [[../../.claude/memory/feedback_rmm_user_session_smb_false_negative]]. Unrelated tip: `Get-NetAdapterBinding -Name "ZeroTier One [..]"` returns empty because `[ ]` are PowerShell wildcards — use `-InterfaceDescription "ZeroTier Virtual Port"`.
|
||||
- **[MEASUREMENT ARTIFACT — not a real fault] SMB/printer tests via the GuruRMM agent give FALSE error 67 / RPC 1702; the real interactive session works.** The printer to `\\front\Sharp` **works** for Julie when she is logged in (confirmed 2026-06-11 by remoting in). But every SMB test run through the **GuruRMM agent's `user_session` context fails** — `net use \\FRONT\IPC$` (and by IP) → System error 67, `net view` → RPC 1702, `Add-Printer -ConnectionName` → 67 — **even with valid `FRONT\julie` creds.** Cause: still unresolved, but NOT a naive impersonation defect — the agent runs these AS the user correctly (`WTSQueryUserToken`→`DuplicateTokenEx(TokenPrimary)`→`CreateProcessAsUserW`; `whoami` returns `rsw-laptop\julie`), and error 67 persists even with explicit creds (so not an SSO/credential gap). Suspect UAC split-token (`EnableLinkedConnections`) or missing window-station/profile in the spawned context. Tracked in GuruRMM RMM_THOUGHTS. Regardless of cause, RMM is NOT measuring what Julie's real logon sees. The underlying plumbing is genuinely fine (ZeroTier up, 445/139 open, MTU 2800 full DF, FRONT shared + Private + SMB-In, bindings present) — which is why it prints interactively. **Rule: do NOT use RMM `net use`/`net view`/`Add-Printer` to judge SMB/printer health to a remote host — its 67/1702 means "can't tell," not "broken." Verify via the real session (ScreenConnect).** The 2026-06-07 "wall" was this same artifact (Mike's "manual fix" worked only because it was interactive). See [[../../.claude/memory/feedback_rmm_user_session_smb_false_negative]]. Unrelated tip: `Get-NetAdapterBinding -Name "ZeroTier One [..]"` returns empty because `[ ]` are PowerShell wildcards — use `-InterfaceDescription "ZeroTier Virtual Port"`.
|
||||
- **Canonical data is local, not OneDrive:** the firm's repository is `C:\Shared Data\CLIENT FILES` on FRONT (local). OneDrive copies under `OneDrive\Documents` / `OneDrive\Shared Data` were stale predecessors from a defunct Resilio/ownCloud sync setup — consolidated and removed 2026-06-08. Win11 Home does not surface the Explorer "Previous Versions" tab; VSS restores are admin-side (mount the shadow volume).
|
||||
|
||||
## Active Work
|
||||
|
||||
Reference in New Issue
Block a user