azcomputerguru/claudetools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

sync: auto-sync from GURU-5070 at 2026-06-10 15:18:03

Browse Source 
Author: Mike Swanson
Machine: GURU-5070
Timestamp: 2026-06-10 15:18:03
This commit is contained in:
Mike Swanson
2026-06-10 15:18:16 -07:00
parent 4b0ae3448f
commit c871ad8815
4 changed files with 176 additions and 10 deletions
Download Patch File Download Diff File Expand all files Collapse all files

78
clients/grabb-durando/session-logs/2026-06/2026-06-10-mike-calendar-app-login-fix.md Normal file
View File

@@ -0,0 +1,78 @@
# Grabb & Durando — Calendar App (data.grabbanddurando.com) Login Fix + Migration Audit
## User
- **User:** Mike Swanson (mike)
- **Machine:** GURU-5070
- **Role:** admin
## Session Summary
Investigated a report that "Jeff's login isn't working" on the firm's calendar/case-management web app while other users were fine. Mike clarified it was NOT a Leap/M365 issue but the custom PHP app at data.grabbanddurando.com. Resolved DNS to 72.194.62.5 = ACG's IX server (internal 172.16.3.10), found the app under cPanel account `grabblaw` at `/home/grabblaw/public_html/data_grabbanddurando`, with live DB `grabblaw_gdapp_data`.
Read the auth code: login (index.php) authenticates against table `vt_users` by username + md5(password) with is_enabled=1. The live `vt_users` had only 5 rows; "Jeff" was identified as jwilliams (Jeff Williams). His account was absent. Cross-checked an older DB copy `grabblaw_gdapp` (48 users) which contained jwilliams (id 46, Super Admin, enabled, password intact). Restored just his row into the live DB via INSERT ... SELECT (schemas identical, id 46 free, orphan ACL role row already present). Verified login conditions met.
Spot-checked all shared tables old vs live: every DATA table in the live DB is equal to or larger than the old copy (live is authoritative and actively used) — only `vt_users` (6/48) and `acl_junction_user_role` (77/82) were under-populated. So this was never a "restore the database" problem, just a dropped user table; a full restore would have lost newer live data.
Mike hypothesized the firm's web people tried to move the site and broke it. Forensics confirmed the shape: an on-server `backups_mariadb_fix/MIGRATION_REPORT.md` (dated 2025-12-15, "Prepared by: IT Support") documents a GoDaddy/legacy -> IX cPanel migration with a PHP 7.4->8.1 + MariaDB 10.11 strict-mode rebuild (61 files modified). The live DB dir was built 2025-12-16, alongside 5 clone/scratch DBs created 2025-12-11; connection.php repointed 2025-12-15; app error_log shows DB-connect failures in Jan 2026 (rocky aftermath). Binary logging is OFF, so there is no statement-level proof of deliberate prune vs failed import — but the circumstantial timeline is solid.
Per Mike's direction, the other ~20 inactive accounts were left for Jeff to decide later (no bulk backfill). Created Syncro ticket #32405 and billed 1.0 hr remote, which applied to the firm's prepaid block (invoice $0.00; 21.25 prepay hrs remaining). Updated the wiki extensively.
## Key Decisions
- Restored ONLY jwilliams (preserving his original md5 password + id 46 + Super Admin role) rather than a full DB restore — the live DB is current and authoritative; a wholesale restore would lose post-migration data.
- Kept Jeff's existing pre-migration password (least surprise; forgot-password flow available) rather than setting a temp.
- Left the remaining 41 missing accounts un-restored at Mike's direction (only a handful of active users; Jeff to decide).
- Recorded the migration root cause from the on-server MIGRATION_REPORT.md + filesystem/DB timestamps rather than guessing; explicitly noted the no-binlog limitation.
## Problems Encountered
- **Public SSH to IX timed out** (port 22 on 72.194.62.5 firewalled). Connected via internal IP `172.16.3.10` instead (this machine reaches the 172.16.3.0/24 net).
- **App DB user is scoped to its own DB:** `grabblaw_gddata` could not read the old `grabblaw_gdapp` (access denied). Used root MySQL (socket auth) for cross-DB inspection and the restore.
- **Prepay misread:** the Syncro customer-LIST endpoint returned `prepay_hours: None`, so the billing initially looked like it should be $150; the invoice came back $0.00 with "- Applied 1.0 Prepay Hours". The per-customer DETAIL endpoint confirmed Grabb & Durando is prepaid (21.25 hrs remaining). $0.00 invoice is correct.
- **Diagnosis correction:** initial framing blamed a recent GoDaddy->IX migration; Mike corrected that the app has been on IX a year+ (path GoDaddy->WebSvr->IX over ~2 yrs). Forensics then pinned the user-table loss to the Dec 2025 IX/MariaDB rebuild specifically. Wiki + ticket wording revised accordingly.
## Configuration Changes
- **Live DB write:** `INSERT INTO grabblaw_gdapp_data.vt_users SELECT * FROM grabblaw_gdapp.vt_users WHERE id=46;` (restored jwilliams). No ACL change needed — orphan row (46, role 1 Super Admin) already present in live.
- `wiki/clients/grabb-durando.md` — updated Servers table (GoDaddy=retired, IX=live host w/ details), Web Applications (full data-app entry + auth model + weak-auth warning), Patterns (Dec-2025 origin + do-not-full-restore rule + per-user login diagnostic), Active Work (migration complete; backfill DEFERRED to client), History (2025-12-15/16 confirmed migration row; 2026-06-10 fix row), Profile (prepaid 21.25 hrs, Syncro id 14232794).
## Credentials & Secrets
- **App DB (live):** host localhost, user `grabblaw_gddata`, password `GrabbData2025`, database `grabblaw_gdapp_data`. Hardcoded in `/home/grabblaw/public_html/data_grabbanddurando/connection.php`. [WARNING] not vaulted — TODO: migrate to SOPS vault under clients/grabb-durando/.
- **SSH:** `root@172.16.3.10` (IX internal; key-based, system OpenSSH). Public 72.194.62.5:22 firewalled.
- App auth model (for future reference): `vt_users` login by username + unsalted MD5(password) + is_enabled=1; roles in acl_user_role (1 Super Admin, 3 Assistant, 4 Lawyer, 5 Call Center) via acl_junction_user_role. [WARNING] weak auth (unsalted MD5 + plaintext password cookie).
## Infrastructure & Servers
- IX: `ix.azcomputerguru.com` = 72.194.62.5 (public, :22 firewalled) / 172.16.3.10 (internal). CloudLinux 9.7, cPanel, MariaDB 10.11, PHP 8.1.
- App: cPanel acct `grabblaw`, docroot `/home/grabblaw/public_html/data_grabbanddurando`, DNS `data.grabbanddurando.com -> 72.194.62.5` (zone on ACG WebSvr 162.248.93.81).
- DB copies on IX: `grabblaw_gdapp_data` (LIVE, 6 users now), `grabblaw_gdapp` (48 users, pre-migration), plus `gdapp2`, `_clone`, `_new`, `sandbox` (clones from 2025-12-11).
- Migration doc: `/home/grabblaw/public_html/data_grabbanddurando/backups_mariadb_fix/MIGRATION_REPORT.md` (2025-12-15).
- Retired: GoDaddy VPS 208.109.235.224 (nothing points here; verify cancelled).
## Commands & Outputs
```bash
# locate app + auth
ssh root@172.16.3.10 'grep -i data.grabbanddurando /etc/userdatadomains'
# -> grabblaw==...==/home/grabblaw/public_html/data_grabbanddurando
# login query (index.php): select * from vt_users where username='<login>' and password='<md5>' and is_enabled=1
# restore Jeff
mysql -e "INSERT INTO grabblaw_gdapp_data.vt_users SELECT * FROM grabblaw_gdapp.vt_users WHERE id=46;"
# table count comparison: vt_users OLD 48 / LIVE 6 ; all data tables LIVE >= OLD
# forensics: live DB dir 2025-12-16; clone DBs 2025-12-11; connection.php edited 2025-12-15; binlog OFF
```
## Pending / Incomplete Tasks
- **Backfill remaining users — DEFERRED to client.** 41 accounts still missing from live `vt_users` (20 enabled real users + disabled/test). Restore individually on request via targeted INSERT...SELECT from grabblaw_gdapp; skip test/junk (testsuntec, ContactOne).
- **Vault the app DB creds** (connection.php plaintext) under clients/grabb-durando/.
- **Confirm the old GoDaddy VPS (208.109.235.224) is cancelled** — nothing points to it but it may still bill.
- Tell Jeff: log in at https://data.grabbanddurando.com with username `jwilliams` + his pre-migration password (forgot-password link emails jwilliams@grabblaw.com).
## Reference Information
- Syncro: customer `14232794` (Grabb & Durando Law Office; contact jwilliams@grabblaw.com). Ticket **#32405** (id 112505040), Initial Issue comment id 418428207 (internal/no email), line item id 42811333, invoice **#67812** (id 1650639454, $0.00 prepaid), prepay 21.25 hrs remaining. Bot alert message_id 1514392451853455490.
- Restored user: jwilliams (Jeff Williams), vt_users id 46, role Super Admin.
- Wiki: `wiki/clients/grabb-durando.md`.
- Tenant (M365, unrelated to this fix): grabblaw.com `032b383e-96e4-491b-880d-3fd3295672c3`.

73
clients/kittle/session-logs/2026-06/2026-06-10-mike-mfa-sms-conversions.md Normal file
View File

@@ -0,0 +1,73 @@
# Kittle — MFA SMS Conversions + Hayden Password Reset
## User
- **User:** Mike Swanson (mike)
- **Machine:** GURU-5070
- **Role:** admin
## Session Summary
Continued post-incident M365 hardening on the Kittle tenant (kittlearizona.com). Reset the Hayden Schagel account password to a temporary value (force change at next sign-in) and added an SMS phone method, since the account had no phone methods registered at all. Then converted five users to phone-only MFA: removed the Microsoft Authenticator registration and set SMS text codes as the default second factor.
The five users were Alexis Schagel, Brandon Blazer, Jason Stubblefield, Neal Crusius, and Scott Zehner. Alexis and Scott already had a phone registered; Brandon was already phone-only; Jason and Neal had no phone, so their numbers (from the client phone roster image, KittlePhones.jpg) were added before stripping Authenticator. Alexis additionally had two duplicate "iPhone 12 Pro Max" Authenticator entries, both removed (this closes the long-standing open item on her account).
Finally, posted a public, customer-emailed note to Syncro ticket #32394 (MFA Cleanup) summarizing the SMS changes for Ken's awareness, with Hayden's temp password deliberately left out.
All M365 writes went through the ComputerGuru User Manager app (Graph). The work mirrors the established phone-only pattern previously applied to admin@/accounting@/josh@/brandon@.
## Key Decisions
- For Jason and Neal (no phone on file), added the SMS method and flipped the default to SMS BEFORE removing Authenticator — never leaving an account with zero MFA methods.
- Used the client-supplied phone roster (KittlePhones.jpg) as the authoritative source for Jason (702-234-4426) and Neal (217-502-9736); did not fabricate numbers.
- Left "SMS as default second factor" only — did NOT enable SMS-as-passwordless-sign-in (smsSignInState stays notConfigured), which is a separate tenant feature not requested.
- Omitted Hayden's temp password from the customer-emailed ticket note (deliver separately/securely).
## Problems Encountered
- **Vault path resolution failure:** the remediation-tool scripts compute CLAUDETOOLS_ROOT relative to the skill install dir (C:\Users\guru\.claude\skills\...), so they read the HOME identity.json (no vault_path) and fail with "vault_path not set ... and VAULT_ROOT_ENV env var not set". Worked around with `export VAULT_ROOT_ENV="D:/vault"`. Permanent fix: add vault_path to the home identity.json or fix root resolution.
- **signInPreferences is beta-only:** setting the default/preferred second factor returned HTTP 400 "Resource not found for the segment 'signInPreferences'" on Graph v1.0. Fixed by using the beta endpoint: PATCH https://graph.microsoft.com/beta/users/{id}/authentication/signInPreferences with {"userPreferredMethodForSecondaryAuthentication":"sms"}.
- **Cannot delete the default Authenticator:** for Jason/Neal, Graph returned "Cannot delete default method with other methods configured. Please change default method before deletion." Resolved by adding SMS and flipping the default to SMS first, then deleting Authenticator.
- **Password typo:** initially set Hayden's password to KCDTemp123! per the first instruction; corrected to KDCTemp123! (KDC) when Mike flagged the typo. Re-ran reset-password.sh with the corrected value.
## Configuration Changes
- M365 (kittlearizona.com) auth-method changes for 6 users (see Commands).
- `wiki/clients/kittle.md` — added two rows to the Remediation Actions Completed table (Hayden; bulk SMS conversion), a `[NOTE] remediation-tool skill gotchas` subsection under Patterns & Known Issues, and checked off the `alexis@ duplicate Authenticator cleanup` Active Work item.
## Credentials & Secrets
- **hayden@kittlearizona.com** temp password: `KDCTemp123!` (force change at next sign-in). Superseded earlier mistaken value `KCDTemp123!`.
- Phone numbers added to M365 auth methods (from client roster KittlePhones.jpg): Hayden 520-628-0929; Jason 702-234-4426; Neal 217-502-9736. (Alexis 520-628-0921, Brandon 520-304-8247, Scott 520-288-4444 already registered.)
- Tokens via vault `msp-tools/computerguru-user-manager.sops.yaml` (cert auth). No new secrets created.
## Infrastructure & Servers
- Tenant: kittlearizona.com / `3d073ebe-806a-4a5e-9035-3c7c4a264fc0`
- App used: ComputerGuru User Manager (appId `64fac46b-8b44-41ad-93ee-7da03927576c`); in-tenant SP `ea0277ab-497c-45f7-b88a-e2d53f54a4c7` (User Administrator + Authentication Administrator).
- Hayden object id: `aa995f8e-cd2c-49ba-8096-296c8bc6713a`.
## Commands & Outputs
```bash
export VAULT_ROOT_ENV="D:/vault" # required workaround on GURU-5070
# password reset (force-change)
./reset-password.sh kittlearizona.com hayden@kittlearizona.com 'KDCTemp123!' --force-change
# add SMS phone method
POST /v1.0/users/{upn}/authentication/phoneMethods {"phoneNumber":"+1 ...","phoneType":"mobile"}
# set SMS default (BETA endpoint)
PATCH /beta/users/{upn}/authentication/signInPreferences {"userPreferredMethodForSecondaryAuthentication":"sms"}
# remove Authenticator (only after SMS default set)
DELETE /v1.0/users/{upn}/authentication/microsoftAuthenticatorMethods/{id}
```
Final verification (all 5): phone present, authenticator=0, default=sms for alexis/Brandon/jason/Neal/scott.
## Pending / Incomplete Tasks
- None outstanding for this scope. Bulk SMS-availability for the rest of the tenant remains scoped OUT (only the named users needed it).
- Broader Kittle residual incident items unchanged (see kittle.md Active Work).
## Reference Information
- Syncro ticket: #32394 (id 112389608) — public comment id `418411503` posted (email on). Bot alert message_id `1514367312155775168`.
- Wiki: `wiki/clients/kittle.md`

23
wiki/clients/grabb-durando.md
View File

@@ -26,9 +26,9 @@ backlinks:
- Svetlana Larionova — slarionova@grabblaw.com (end user; Leap calendar support 2026-05-04)
- sysadmin@grabblaw.com — shared admin account (M365 GA operations)
- guru@grabblaw.com — ACG-managed Global Admin account [unverified — referenced in remediation report]
- **Billing rate:** [unverified — not documented in available files]
- **Active ticket:** [unverified — no current open Syncro ticket found in sources]
- **Syncro customer ID:** [unverified — not present in available session logs]
- **Billing:** PREPAID block customer — **21.25 prepay hours remaining** as of 2026-06-10 (after ticket #32405). Syncro `prepay_hours` only shows on the per-customer detail endpoint, NOT the customer-list endpoint (list returns null — misleading). Remote labor rate $150/hr (drawn from block).
- **Syncro customer ID:** **14232794** (business: "Grabb & Durando Law Office"; primary contact on file: jwilliams@grabblaw.com)
- **Recent ticket:** #32405 (2026-06-10) — calendar-app login fix, 1.0 hr remote applied to prepaid block
## Infrastructure
@@ -37,8 +37,8 @@ backlinks:
| Host | IP | Role | OS | Notes |
|---|---|---|---|---|
| GND-SERVER | [unverified] | On-premise server | Windows Server 2019 Standard, AMD64 | GuruRMM agent installed 2026-05-12 via site-specific MSI |
| GoDaddy VPS | 208.109.235.224 | Custom PHP web app (data.grabbanddurando.com) | CloudLinux 9.6, cPanel v126 | 99% disk full as of website migration plan — status post-migration unknown [unverified] |
| ix.azcomputerguru.com (IX) | 72.194.62.5 | ACG shared hosting — migration target | CloudLinux 9.7, cPanel | Migration planned but no session log confirms completion [unverified] |
| GoDaddy VPS | 208.109.235.224 | ORIGINAL host of data.grabbanddurando.com (long retired) | CloudLinux 9.6, cPanel v126 | App moved off years ago. Hosting path over ~2 years: GoDaddy -> WebSvr -> IX. Nothing points here now; verify the VPS is cancelled (may still bill). |
| ix.azcomputerguru.com (IX) | 72.194.62.5 (internal 172.16.3.10) | LIVE host of data.grabbanddurando.com (calendar/case app) | CloudLinux 9.7, cPanel | Current home of the app — on IX for ~1yr+ (path: GoDaddy -> WebSvr -> IX over ~2 yrs, per Mike). Confirmed live 2026-06-10. DNS `data.grabbanddurando.com -> 72.194.62.5`. cPanel acct `grabblaw`, docroot `/home/grabblaw/public_html/data_grabbanddurando`, live DB `grabblaw_gdapp_data`. App actively used. SSH via internal `172.16.3.10` only — public port 22 firewalled (times out). |
| WebSvr (ACG) | 162.248.93.81 | Main domain (grabbanddurando.com) DNS/hosting | ACG managed | Nameserver authority for grabbanddurando.com zone |
### Email & Identity
@@ -62,7 +62,8 @@ backlinks:
### Web Applications
- **Primary site:** grabbanddurando.com — hosted on WebSvr (ACG)
- **Data app:** data.grabbanddurando.com — custom PHP 7.4 app using mysqli; GoDaddy cPanel account `grabbandurando`, document root `/home/grabbanddurando/public_html/new_gdapp/`, database `grabblaw_gdapp` (31 MB)
- **Data app ("the calendar site"):** data.grabbanddurando.com — custom PHP app (mysqli, PHP session `law_admin`). Calendar + case management (agenda views, `gd_calendar_events`, `gd_cases`, "Jeff's Notes", phone log, contacts). **NOW LIVE ON IX** (migrated off GoDaddy): cPanel acct `grabblaw`, docroot `/home/grabblaw/public_html/data_grabbanddurando`, live DB **`grabblaw_gdapp_data`** (app user `grabblaw_gddata`; creds hardcoded in `connection.php` — [WARNING] not vaulted). Pre-migration copies `grabblaw_gdapp` (48 users) and `grabblaw_gdapp2` still present on IX as historical snapshots.
- **Auth model:** login is `index.php``SELECT * FROM vt_users WHERE username='<login>' AND password=MD5('<pw>') AND is_enabled=1`. Login is **by username** (the form field is labeled "Username" but POSTs as `email`); password is **unsalted MD5**; the account row must have `is_enabled=1` (a disabled row returns "you have not activated your account"). Roles live in `acl_user_role` (1=Super Admin, 3=Assistant, 4=Lawyer, 5=Call Center), linked via `acl_junction_user_role`. "I forgot my password" emails a reset link (writes a `code` to `vt_users`). [WARNING] weak auth: unsalted MD5 + a plaintext password cookie set on login.
- **Case management:** Leap — integrated with M365 calendar/mail via delegated OAuth
## GuruRMM
@@ -95,22 +96,26 @@ backlinks:
- **Leap OAuth consent pattern:** New hires at Grabb & Durando will NOT automatically have Leap M365 calendar sync enabled. As of 2026-05-04 tenant-wide consent was granted on the LEAP delegated app — new users should now get through the consent flow without admin intervention. Verify this holds for next new hire.
- **Leap identity binding trap:** If an admin signs in to Leap on a user's machine to grant consent, Leap stores the admin's identity token instead of the user's. Symptom: Leap syncs the wrong mailbox and throws "unable to subscribe to notifications." Fix: revoke admin OAuth grant, clear `%LOCALAPPDATA%\Microsoft Corporation\` Leap cache, re-sign in as the correct user.
- **SYSTEM context in GuruRMM commands:** Agent runs as LocalSystem. HKCU probes from GuruRMM commands read the SYSTEM hive, not a logged-in user's. Use `HKU:\<SID>` path for per-user registry work.
- **Website migration (data.grabbanddurando.com):** PHP 7.4 app, 1.8 GB files + 31 MB database. Migration target is IX (ix.azcomputerguru.com). Migration plan is detailed; no session log confirms completion — assume NOT migrated until verified.
- **Website migration (data.grabbanddurando.com):** COMPLETE — app is live on IX (`/home/grabblaw/public_html/data_grabbanddurando`, DB `grabblaw_gdapp_data`), confirmed 2026-06-10. DNS points to 72.194.62.5. App actively used post-migration.
- **[WARNING] Live user table holds only active logins — traced to the Dec 2025 rebuild (root cause of "login broken for one user"):** The live `vt_users` has only **6 of 48** rows (and 77 of 82 `acl_junction_user_role` links) vs. the older copy `grabblaw_gdapp`. Origin confirmed by 2026-06-10 forensics: a **Dec 1516 2025 server migration / MariaDB strict-mode rebuild**, documented on-server at `backups_mariadb_fix/MIGRATION_REPORT.md` ("Prepared by: IT Support" — GoDaddy/legacy → IX cPanel, PHP 7.4→8.1, MariaDB 10.11 strict mode, 61 app files modified). Live DB dir built 2025-12-16, alongside 5 clone/scratch DBs (`grabblaw_gdapp`, `gdapp2`, `_clone`, `_new`, `sandbox`) created 2025-12-11; `connection.php` repointed 2025-12-15; rocky aftermath (app `error_log` shows DB-connect failures Jan 2026). The rebuild imported every DATA table fully — all are ≥ the old copy (activity 18.6k>17.9k, gd_calendar_events 13.2k>12.6k, gd_assign_users 25.0k>23.1k; gd_cases/gd_cases_notes/gd_contacts/gd_phone_log identical) — **but `vt_users` came out short**. Binary logging is OFF, so no statement-level proof of deliberate prune vs. failed import. The live DB is authoritative and current — **do NOT full-restore from `grabblaw_gdapp`** (would lose newer live data). Correct remediation = **targeted backfill of the specific missing `vt_users` row(s) (+ `acl_junction_user_role` links) from `grabblaw_gdapp` → `grabblaw_gdapp_data`**, preserving each user's id + MD5 password. Symptom presented as "one user can't log in, everyone else fine" because the only 3 active users (rgrabb, rpesqueira, jsosa) happened to be among the 6 surviving rows.
- **Diagnostic pattern — per-user login failure on the calendar app:** first check the live DB: `SELECT id,username,is_enabled FROM grabblaw_gdapp_data.vt_users WHERE username='<u>'`. No row → user was dropped in migration; restore from `grabblaw_gdapp`. Row with `is_enabled=0` → re-enable. Row present + enabled → password/MD5 issue (use forgot-password flow or reset the hash).
## Active Work
- **AI Demand Review System** (scoping/pre-quote as of 2026-05-12): Robert Grabb wants a custom Claude API web application for AI-assisted pre-suit demand package preparation. 11-category document upload UI, structured Claude output (case snapshot, liability, medical chronology, demand letter, etc.), DOCX/PDF export, per-case audit log. Estimated 3248 hrs, $4,000$6,960 flat fee range. Discovery call questions outstanding (user count, Leap API, file server structure). See `clients/grabb-durando/ai-demand-review/CONTEXT.md` for full spec.
- **Website migration** (data.grabbanddurando.com → IX): Status unknown. GoDaddy VPS was 99% full as of project planning. No completion session log found. [WARNING] Verify migration status before any GoDaddy VPS work or billing.
- **Website migration** (data.grabbanddurando.com → IX): COMPLETE (confirmed 2026-06-10, live on IX). Remaining cleanup: confirm the old GoDaddy VPS (208.109.235.224) is decommissioned/cancelled — nothing points to it anymore but it may still bill.
- **Calendar-app user-table backfill (data.grabbanddurando.com) — DEFERRED to client:** 2026-06-10 restored `jwilliams` (Jeff Williams, id 46, Super Admin) into the live `vt_users` to fix his login. **41 other accounts still missing** from the live DB (20 enabled real users: ahayward, amarshall, apesqueira, cpavlik, ecorella, gcanto, Greg, jclark, kloya, lgonzalez, mbleaman, mcarias, mgonzales, mwaletitsch, pgrabb, rmaza, admin, etc. — plus disabled/test rows). **Per Mike (2026-06-10): only a handful of active users; left for Jeff Williams to decide later — no bulk backfill planned by ACG.** If a specific person needs access, restore just their row via targeted `INSERT ... SELECT` from `grabblaw_gdapp` (preserve id + MD5 pw); skip test/junk (`testsuntec`, `ContactOne`).
## History Highlights
| Date | Event |
|---|---|
| Pre-2026 | Established MSP client; M365 tenant (grabblaw.com) under ACG management; Leap deployed firm-wide |
| 2025-12-15 | Website migration session logs referenced (in old claude-projects path) — data.grabbanddurando.com migration likely attempted [unverified from available files] |
| 2025-12-15/16 | **data.grabbanddurando.com migrated to IX + MariaDB strict-mode rebuild** (confirmed 2026-06-10 via on-server `backups_mariadb_fix/MIGRATION_REPORT.md`, "Prepared by: IT Support"). GoDaddy/legacy → IX cPanel; PHP 7.4→8.1; MariaDB 10.11 strict mode; 61 app files modified. Live DB `grabblaw_gdapp_data` built 12-16 alongside 5 clone/scratch DBs (12-11); `connection.php` repointed 12-15; rocky aftermath (DB-connect failures in app error_log Jan 2026). The rebuild left the live `vt_users` with only ~6 of 48 logins — origin of the 2026-06-10 Jeff login issue. |
| 2026-04-20 | PROJECT_STATE.md created noting website migration stalled, no session logs recorded at that time |
| 2026-05-04 | Howard: Leap M365 calendar sync for Svetlana Larionova — OAuth consent investigation + tenant-wide LEAP consent granted by Mike; Leap identity token cleanup; Teams external-share limitation explained; second monitor added |
| 2026-05-12 | GuruRMM agent installed on GND-SERVER via site-specific MSI (v0.6.2). Diagnostic run confirms agent service running. AI demand review project kicked off — Phase Two Package delivered by Robert Grabb, ACG scoping review begun. |
| 2026-06-10 | **Calendar-app login fix + migration audit.** Reported: Jeff Williams (`jwilliams`) couldn't log in to data.grabbanddurando.com while others could. Root cause traced to the Dec 2025 IX/MariaDB rebuild, which left the live `vt_users` with only 6 of 48 logins (Jeff not among the survivors). Confirmed the app is live on IX (`grabblaw` cPanel acct, DB `grabblaw_gdapp_data`) and that the live DB is authoritative (all data tables ≥ old copy). Restored `jwilliams` (id 46, Super Admin, original MD5 password) from `grabblaw_gdapp` → live; login verified. 41 other (mostly inactive) accounts left un-restored at Mike's direction — Jeff to decide later. Billed 1.0 hr remote on new Syncro ticket #32405 — applied against their PREPAID block (invoice #67812 = $0.00; 21.25 prepay hrs remaining). Documented the app auth model, the Dec-2025 origin, and a per-user login diagnostic. |
## Backlinks

12
wiki/clients/kittle.md
View File

@@ -378,6 +378,8 @@ Kittle confirmed it has no relationship with Foam Factory Incorporated.
| FIDO2/passkeys ENABLED tenant-wide (Authentication Methods policy `fido2` state -> enabled) | 2026-06-10 | [OK] — phishing-resistant method now available to all users (targets `all_users`, self-service reg on, no attestation/key restrictions, deviceBound+synced). Triggered by Darline hitting "passkey not enabled for the organization" during re-enrollment. Tenant still `policyMigrationState: migrationInProgress` — SMS/voice/Authenticator remain governed by legacy MFA settings. |
| Auth Methods policy migration — Step 1 of 3: enabled `microsoftAuthenticator`, `sms`, `voice`, `softwareOath` in the converged policy (all `all_users`, additive) | 2026-06-10 | [OK] — replicates legacy MFA method set into the new policy ahead of migration; `policyMigrationState` deliberately LEFT at `migrationInProgress` (legacy still backing). NEXT: verification window (watch sign-in MFA failures), then Step 3 = PATCH `policyMigrationState: migrationComplete` only on explicit go. Tenant overdue (Microsoft retired legacy MFA mgmt Sept 2025; auto-complete risk). |
| joshua@ (Josh Sutherland) + Brandon@ (Brandon Blazer) MFA reset to phone-only: added SMS (Josh +1 520-664-4785, Brandon +1 520-304-8247) as default, removed Authenticator (Josh iPad Pro, Brandon SM-F741U) | 2026-06-10 | [OK] — same pattern as admin@/accounting@. Cell numbers from client-supplied roster (KittlePhones.jpg). Bulk SMS-availability for the rest of the tenant was scoped OUT at Mike's direction (only Josh/Brandon needed now); accounting@ left as-is (work # +1 520-763-3091, re-registered Authenticator SM-S731U left in place). |
| hayden@ (Hayden Schagel) password reset (force-change) + SMS phone added | 2026-06-10 | [OK] — via User Manager app. Account had NO phone methods prior; added SMS +1 520-628-0929 (from client roster). Password set/corrected to a temp value with forceChangePasswordNextSignIn=true. |
| Bulk phone-only MFA conversion: alexis@, Brandon@, jason@, Neal@, scott@ — SMS set as default 2nd-factor, Microsoft Authenticator removed | 2026-06-10 | [OK] — via User Manager app. Phones from client roster (KittlePhones): Alexis 520-628-0921 (existing), Brandon 520-304-8247 (existing), Jason 702-234-4426 (ADDED), Neal 217-502-9736 (ADDED), Scott 520-288-4444 (existing). Alexis: BOTH duplicate "iPhone 12 Pro Max" Authenticator entries (7365a870, c927402a) removed. Jason (SM-X218U) + Neal (iPhone 16 Pro) had no phone — added SMS first, flipped default to SMS, THEN removed Authenticator (cannot delete the default method otherwise). Brandon/Scott already phone-only. SMS-as-passwordless-signin (smsSignInState) still notConfigured/not enabled tenant-wide — this changes the default 2nd-factor only. |
### Incident Evidence (preserved by ACG)
@@ -444,6 +446,14 @@ Lori Schagel had 10 admin roles including Global Administrator as a pre-existing
**Rule:** Small-business tenants should have exactly one active GA account (or two, with the second being a break-glass with a very strong password and no MFA registration, NOT a named-user account). Review GA assignments at every breach check. Strip and downscope unnecessary GA on sight.
### [NOTE] remediation-tool skill gotchas (observed 2026-06-10 during the MFA conversions)
Tooling quirks hit while running the User Manager (remediation-tool) scripts against this tenant — apply fleet-wide, not Kittle-specific:
1. **Vault path resolution reads the wrong identity.json.** The scripts compute `CLAUDETOOLS_ROOT` relative to the skill install dir (`C:\Users\guru\.claude\skills\remediation-tool\...`), so on GURU-5070 they read the *home* `~/.claude/identity.json` (which has no `vault_path`) and fail: `ERROR: vault_path not set ... and VAULT_ROOT_ENV env var not set`. Workaround: `export VAULT_ROOT_ENV="D:/vault"` before calling `get-token.sh`/`reset-password.sh`. Permanent fix: add `vault_path` to the home identity.json or fix root resolution.
2. **`signInPreferences` is beta-only.** Setting a user's default/preferred second factor must go to `PATCH https://graph.microsoft.com/beta/users/{id}/authentication/signInPreferences` with `{"userPreferredMethodForSecondaryAuthentication":"sms"}`. The v1.0 path returns HTTP 400 `Resource not found for the segment 'signInPreferences'`.
3. **Can't delete the default Authenticator while it IS the default.** Graph returns `Cannot delete default method with other methods configured. Please change default method before deletion.` Correct order for a phone-only conversion: (a) add the SMS phone method, (b) PATCH signInPreferences to `sms` (beta), (c) THEN DELETE the Authenticator method. Never strip the only/last MFA method before the replacement is in place.
### [WARNING] IMAP/POP/EAS still enabled tenant-wide
Legacy protocols remain enabled as of 2026-06-09. The CA `Block legacy authentication` policy now blocks sign-in via legacy auth, but the protocols themselves are still enabled and could represent residual risk (e.g., if the CA policy is ever accidentally disabled). Disable IMAP/POP/EAS at the mailbox level tenant-wide as defense in depth.
@@ -474,7 +484,7 @@ Do not migrate or decommission SERVER without a proper QuickBooks migration plan
- [ ] **Disable IMAP/POP/EAS tenant-wide** — CA now blocks legacy auth, but protocols remain enabled. Defense-in-depth: disable at mailbox level.
- [ ] **Confirm bank freeze calls completed** (Truist 844-487-8478 / Enterprise Fraud Mgmt 866-802-4955; First State Bank fraud 866-372-1275; Chase Global Bank Recoveries 866-954-3718 opt 4 / gb.fraud.recovery@jpmorgan.com).
- [ ] **Re-add appropriate admin role to Ken** — all 10 stripped during containment; Ken is owner/GA by function. Re-add Global Administrator + Exchange Administrator once incident is formally closed.
- [ ] **alexis@ duplicate Authenticator cleanup**entry `c927402a-75c6-4a55-840a-86d1eea43a9b` ("iPhone 12 Pro Max", app ver 6.8.40). Confirm with Alexis how many Kittle accounts are on her phone; remove if only one. Also review OATH token `7d1425ca-27d0-444d-9c36-6b3780c77059` if unused.
- [x] **alexis@ duplicate Authenticator cleanup**DONE 2026-06-10: both "iPhone 12 Pro Max" Authenticator entries (`7365a870-4809-4fdc-9e9b-dcd76eddb8ef` and `c927402a-75c6-4a55-840a-86d1eea43a9b`) removed during the bulk phone-only MFA conversion; Alexis now SMS-only (+1 520-628-0921, default). OATH token `7d1425ca-27d0-444d-9c36-6b3780c77059` not touched — review/remove if confirmed unused.
- [ ] **Wrex license removal** — mailbox converted to shared, user disabled; free the Business Standard license.
- [ ] **Christina Micek inbox rule on Ken** — confirmed benign during 6/8 sweep (copy rule, no suppression). Still worth Ken confirming explicitly for documentation closure.
- [ ] **Warn Ken's phished external contacts** — 740+ recipients received the "Ken Schagel shared a file with you" phishing email; link was `flowinnactuators.com/work.html` (credential harvesting). Formal notification recommended.