azcomputerguru/claudetools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

sync: auto-sync from GURU-5070 at 2026-06-11 08:10:50

Browse Source 
Author: Mike Swanson
Machine: GURU-5070
Timestamp: 2026-06-11 08:10:50
This commit is contained in:
Mike Swanson
2026-06-11 08:11:03 -07:00
parent 55445d78dc
commit 543228fdba
2 changed files with 17 additions and 6 deletions
Download Patch File Download Diff File Expand all files Collapse all files

21
.claude/memory/feedback_rmm_user_session_smb_false_negative.md
View File

@@ -6,11 +6,22 @@ type: feedback
When diagnosing remote file-share or network-printer reachability, do NOT trust results from
GuruRMM `net use` / `net view` / `Add-Printer -ConnectionName \\HOST\...` — including in
`context: user_session`. That context is a **WTS-impersonated, non-interactive token**, which
cannot stand up an authenticated SMB session to a remote server. It returns **System error 67
("network name cannot be found")** and **RPC 1702 ("binding handle invalid")** regardless of how
healthy the path is — and even when you pass explicit valid credentials. It is not measuring what
the logged-on user actually sees.
`context: user_session`. Empirically it returns **System error 67 ("network name cannot be found")**
and **RPC 1702 ("binding handle invalid")** for shares/printers that work fine in the user's real
interactive logon — even when you pass explicit valid credentials. Treat its SMB results as
**"can't tell," not "broken"**; verify in the real session (ScreenConnect).
**Root cause is NOT a naive impersonation/double-hop defect (corrected 2026-06-11).** The agent's
`run_command_in_session` (`agent/src/watchdog/wts.rs`) uses the textbook-correct pattern —
`WTSQueryUserToken``DuplicateTokenEx(TokenPrimary)``CreateProcessAsUserW` — and `whoami`
confirms commands genuinely run AS the user in their session. And error 67 persists even with
**explicit** `/user:.. <pw>` creds, which rules out a missing-network-credential/SSO gap. So the
mechanism runs as the user correctly; the SMB failure is a subtler, still-unresolved behavior of
the spawned-process context. Leading suspects: **UAC split token** (WTSQueryUserToken may return the
filtered token while printer/SMB state lives on the linked token — the `EnableLinkedConnections`
family of bug), or a missing **window station / `lpDesktop` / loaded user profile** changing
redirector/MUP behavior. Tracked as a GuruRMM engineering item (RMM_THOUGHTS). Until pinned, the
practical rule above stands.
**Why:** Mike, 2026-06-11 (Wolkin / RSW-Laptop printer). Julie reported "no printers." Over RMM I
verified ZeroTier up, name resolution, TCP 445/139 open, MTU 2800 full DF packets, FRONT spooler