sync: auto-sync from GURU-5070 at 2026-06-11 08:10:50

Author: Mike Swanson Machine: GURU-5070 Timestamp: 2026-06-11 08:10:50
2026-06-11 08:11:03 -07:00
parent 55445d78dc
commit 543228fdba
2 changed files with 17 additions and 6 deletions
--- a/.claude/memory/feedback_rmm_user_session_smb_false_negative.md
+++ b/.claude/memory/feedback_rmm_user_session_smb_false_negative.md
@@ -6,11 +6,22 @@ type: feedback
 When diagnosing remote file-share or network-printer reachability, do NOT trust results from
 GuruRMM `net use` / `net view` / `Add-Printer -ConnectionName \\HOST\...` — including in
-`context: user_session`. That context is a **WTS-impersonated, non-interactive token**, which
+`context: user_session`. Empirically it returns **System error 67 ("network name cannot be found")**
-cannot stand up an authenticated SMB session to a remote server. It returns **System error 67
+and **RPC 1702 ("binding handle invalid")** for shares/printers that work fine in the user's real
-("network name cannot be found")** and **RPC 1702 ("binding handle invalid")** regardless of how
+interactive logon — even when you pass explicit valid credentials. Treat its SMB results as
-healthy the path is — and even when you pass explicit valid credentials. It is not measuring what
+**"can't tell," not "broken"**; verify in the real session (ScreenConnect).
-the logged-on user actually sees.
+
 **Root cause is NOT a naive impersonation/double-hop defect (corrected 2026-06-11).** The agent's
 `run_command_in_session` (`agent/src/watchdog/wts.rs`) uses the textbook-correct pattern —
 `WTSQueryUserToken` → `DuplicateTokenEx(TokenPrimary)` → `CreateProcessAsUserW` — and `whoami`
 confirms commands genuinely run AS the user in their session. And error 67 persists even with
 **explicit** `/user:.. <pw>` creds, which rules out a missing-network-credential/SSO gap. So the
 mechanism runs as the user correctly; the SMB failure is a subtler, still-unresolved behavior of
 the spawned-process context. Leading suspects: **UAC split token** (WTSQueryUserToken may return the
 filtered token while printer/SMB state lives on the linked token — the `EnableLinkedConnections`
 family of bug), or a missing **window station / `lpDesktop` / loaded user profile** changing
 redirector/MUP behavior. Tracked as a GuruRMM engineering item (RMM_THOUGHTS). Until pinned, the
 practical rule above stands.
 **Why:** Mike, 2026-06-11 (Wolkin / RSW-Laptop printer). Julie reported "no printers." Over RMM I
 verified ZeroTier up, name resolution, TCP 445/139 open, MTU 2800 full DF packets, FRONT spooler
--- a/wiki/clients/wolkin.md
+++ b/wiki/clients/wolkin.md
@@ -88,7 +88,7 @@ backlinks: []
 ## Patterns & Known Issues
 - **macOS Syncro JSON parsing:** Syncro customer lookup from Mac failed due to JSON parsing issues (2026-06-07). Use Windows PC for Syncro API operations or manual web portal lookups.
 - **ZeroTier print RPC needs Private profile:** File-and-Printer-Sharing inbound rules (incl. Print Spooler RPC) apply to the Private profile only. The ZeroTier interface was Public on both FRONT and RSW-Laptop, which blocked print/RPC over ZT while file SMB still worked. Fix: set the ZT interface Private on both ends. (Confirmed still Private both ends 2026-06-11.)
- **[MEASUREMENT ARTIFACT — not a real fault] SMB/printer tests via the GuruRMM agent give FALSE error 67 / RPC 1702; the real interactive session works.** The printer to `\\front\Sharp` **works** for Julie when she is logged in (confirmed 2026-06-11 by remoting in). But every SMB test run through the **GuruRMM agent's `user_session` context fails** — `net use \\FRONT\IPC$` (and by IP) → System error 67, `net view` → RPC 1702, `Add-Printer -ConnectionName` → 67 — **even with valid `FRONT\julie` creds.** Cause: RMM `user_session` is a **WTS-impersonated, non-interactive token**, which cannot establish an authenticated SMB session to a remote host (the network second-hop/credential context isn't there). It is NOT measuring what Julie's real logon sees. The underlying plumbing is genuinely fine (ZeroTier up, 445/139 open, MTU 2800 full DF, FRONT shared + Private + SMB-In, bindings present) — which is why it prints interactively. **Rule: do NOT use RMM `net use`/`net view`/`Add-Printer` to judge SMB/printer health to a remote host — its 67/1702 means "can't tell," not "broken." Verify via the real session (ScreenConnect).** The 2026-06-07 "wall" was this same artifact (Mike's "manual fix" worked only because it was interactive). See [[../../.claude/memory/feedback_rmm_user_session_smb_false_negative]]. Unrelated tip: `Get-NetAdapterBinding -Name "ZeroTier One [..]"` returns empty because `[ ]` are PowerShell wildcards — use `-InterfaceDescription "ZeroTier Virtual Port"`.
+- **[MEASUREMENT ARTIFACT — not a real fault] SMB/printer tests via the GuruRMM agent give FALSE error 67 / RPC 1702; the real interactive session works.** The printer to `\\front\Sharp` **works** for Julie when she is logged in (confirmed 2026-06-11 by remoting in). But every SMB test run through the **GuruRMM agent's `user_session` context fails** — `net use \\FRONT\IPC$` (and by IP) → System error 67, `net view` → RPC 1702, `Add-Printer -ConnectionName` → 67 — **even with valid `FRONT\julie` creds.** Cause: still unresolved, but NOT a naive impersonation defect — the agent runs these AS the user correctly (`WTSQueryUserToken`→`DuplicateTokenEx(TokenPrimary)`→`CreateProcessAsUserW`; `whoami` returns `rsw-laptop\julie`), and error 67 persists even with explicit creds (so not an SSO/credential gap). Suspect UAC split-token (`EnableLinkedConnections`) or missing window-station/profile in the spawned context. Tracked in GuruRMM RMM_THOUGHTS. Regardless of cause, RMM is NOT measuring what Julie's real logon sees. The underlying plumbing is genuinely fine (ZeroTier up, 445/139 open, MTU 2800 full DF, FRONT shared + Private + SMB-In, bindings present) — which is why it prints interactively. **Rule: do NOT use RMM `net use`/`net view`/`Add-Printer` to judge SMB/printer health to a remote host — its 67/1702 means "can't tell," not "broken." Verify via the real session (ScreenConnect).** The 2026-06-07 "wall" was this same artifact (Mike's "manual fix" worked only because it was interactive). See [[../../.claude/memory/feedback_rmm_user_session_smb_false_negative]]. Unrelated tip: `Get-NetAdapterBinding -Name "ZeroTier One [..]"` returns empty because `[ ]` are PowerShell wildcards — use `-InterfaceDescription "ZeroTier Virtual Port"`.
 - **Canonical data is local, not OneDrive:** the firm's repository is `C:\Shared Data\CLIENT FILES` on FRONT (local). OneDrive copies under `OneDrive\Documents` / `OneDrive\Shared Data` were stale predecessors from a defunct Resilio/ownCloud sync setup — consolidated and removed 2026-06-08. Win11 Home does not surface the Explorer "Previous Versions" tab; VSS restores are admin-side (mount the shadow volume).
 ## Active Work