From cfc065b09765faf361c599f71287324937b41b5b Mon Sep 17 00:00:00 2001 From: Mike Swanson Date: Thu, 11 Jun 2026 08:00:19 -0700 Subject: [PATCH] sync: auto-sync from GURU-5070 at 2026-06-11 08:00:04 Author: Mike Swanson Machine: GURU-5070 Timestamp: 2026-06-11 08:00:04 --- .claude/memory/MEMORY.md | 1 + .../feedback_client_slug_fragmentation.md | 33 ++ clients/rswolkin/README.md | 6 + clients/wolkin-law/README.md | 6 + .../FRONT-20260606T133142.json | 0 .../FRONT-20260606T133142.md | 0 .../remote-printing-tailscale-plan.md | 0 .../2026-06-05-julie-guda-provisioning.md | 0 ...stall-rmm-diagnostic-tailscale-planning.md | 0 .../2026-06-07-mike-zerotier-setup.md | 0 ...nter-rediagnosis-and-slug-consolidation.md | 72 ++++ wiki/clients/robert-wolkin.md | 128 +----- wiki/clients/wolkin-law.md | 373 +----------------- wiki/clients/wolkin.md | 50 ++- 14 files changed, 186 insertions(+), 483 deletions(-) create mode 100644 .claude/memory/feedback_client_slug_fragmentation.md create mode 100644 clients/rswolkin/README.md create mode 100644 clients/wolkin-law/README.md rename clients/{rswolkin => wolkin}/onboarding-baselines/FRONT-20260606T133142.json (100%) rename clients/{rswolkin => wolkin}/onboarding-baselines/FRONT-20260606T133142.md (100%) rename clients/{rswolkin => wolkin}/remote-printing-tailscale-plan.md (100%) rename clients/{rswolkin => wolkin}/session-logs/2026-06-05-julie-guda-provisioning.md (100%) rename clients/{rswolkin => wolkin}/session-logs/2026-06-06-mike-gemini-install-rmm-diagnostic-tailscale-planning.md (100%) rename clients/{wolkin-law => wolkin}/session-logs/2026-06-07-mike-zerotier-setup.md (100%) create mode 100644 clients/wolkin/session-logs/2026-06/2026-06-11-mike-printer-rediagnosis-and-slug-consolidation.md diff --git a/.claude/memory/MEMORY.md b/.claude/memory/MEMORY.md index 5abc1f5..8e0b01e 100644 --- a/.claude/memory/MEMORY.md +++ b/.claude/memory/MEMORY.md @@ -123,3 +123,4 @@ - [Syncro preview mandatory](feedback_syncro_preview_mandatory.md) — preview+confirm every Syncro write, including internal notes - [Refresh session history first](feedback_refresh_session_history_first.md) — read prior incident logs before acting; do not re-remediate already-handled accounts - [Autonomy scope](feedback_autonomy_scope.md) — confirm only for client-affecting actions; internal docs/wiki/ClaudeTools = act autonomously +- [Check for client-slug fragmentation](feedback_client_slug_fragmentation.md) — Before concluding a client has no records, grep broadly (company/owner/initials/hostname/"Last, First") across clients/, wiki/, session-logs/, vault — one client gets split across slug variants (Wolkin was 4: wolkin/wolkin-law/rswolkin/robert-wolkin). Consolidate to one canonical slug; action prior logs' Pending items. diff --git a/.claude/memory/feedback_client_slug_fragmentation.md b/.claude/memory/feedback_client_slug_fragmentation.md new file mode 100644 index 0000000..5c9965c --- /dev/null +++ b/.claude/memory/feedback_client_slug_fragmentation.md @@ -0,0 +1,33 @@ +--- +name: Check for client-slug fragmentation before concluding "no records exist" +description: A single client can be recorded under several slug variants (e.g. wolkin / wolkin-law / rswolkin / robert-wolkin). Search broadly across variants before saying nothing is documented, and consolidate to one canonical slug when you find the spread. +type: feedback +--- + +When a client/machine is named and you can't find its records (vault, wiki, session logs), do +NOT conclude "nothing was captured" from a single-slug search. The same client is often +fragmented across multiple slugs and the RMM/Syncro display name (Last, First) form. + +**Why:** Mike, 2026-06-11. On the Wolkin printer issue I searched `wolkin` in the vault, found +nothing, and asked Mike for a password we already had — because the two-day build was split +across FOUR slugs: `clients/wolkin/`, `clients/rswolkin/`, `clients/wolkin-law/`, and wiki +`wolkin.md` / `wolkin-law.md` / `robert-wolkin.md` (RMM client `Wolkin, Robert`, tenant +`rswolkin.com`). The credential and the *exact same* error-67 diagnosis were sitting in a +session log under a different slug. Mike: "an absolute failure of the session logs and wiki +system." It wasn't lost — it was unfindable because of slug drift, and pending items from the +prior log ("migrate creds to vault", "consolidate the slugs") were never actioned. + +**How to apply:** +- Before concluding a client has no records, grep broadly: the company name, the owner's name, + initials, the hostname, and `Last, First` — across `clients/`, `wiki/`, `session-logs/`, and + the vault. e.g. `grep -ril "wolkin|rsw|robert" clients/ wiki/ session-logs/`. +- If you find the same client under >1 slug, **consolidate**: pick one canonical slug, move the + scattered logs/baselines into `clients//`, merge the wiki articles into one and + leave pointer stubs at the others, and add `aliases:` to the canonical article's frontmatter + so future recall finds it. +- Onboard each client under ONE slug from the start. The GuruRMM client name, the Syncro + customer, the vault dir, the wiki slug, and the `clients//` dir should all match. +- Always action a prior log's "Pending" items (vault these creds, consolidate these slugs) — + unactioned pending items become the next session's wall. +- Wolkin canonical = slug `wolkin`; see [[wolkin]] wiki for the error-67 ZeroTier/SMB printer + wall (needs interactive fix, not scripted) and the `Get-NetAdapterBinding` bracket-wildcard tip. diff --git a/clients/rswolkin/README.md b/clients/rswolkin/README.md new file mode 100644 index 0000000..f8f71f4 --- /dev/null +++ b/clients/rswolkin/README.md @@ -0,0 +1,6 @@ +# Moved -> clients/wolkin/ + +This client was consolidated to the canonical slug **wolkin** on 2026-06-11 +(same client recorded under wolkin / wolkin-law / rswolkin / robert-wolkin). +All session logs, baselines, and plans now live in `clients/wolkin/`. +Wiki: `wiki/clients/wolkin.md`. Credentials: vault `clients/wolkin/`. diff --git a/clients/wolkin-law/README.md b/clients/wolkin-law/README.md new file mode 100644 index 0000000..f8f71f4 --- /dev/null +++ b/clients/wolkin-law/README.md @@ -0,0 +1,6 @@ +# Moved -> clients/wolkin/ + +This client was consolidated to the canonical slug **wolkin** on 2026-06-11 +(same client recorded under wolkin / wolkin-law / rswolkin / robert-wolkin). +All session logs, baselines, and plans now live in `clients/wolkin/`. +Wiki: `wiki/clients/wolkin.md`. Credentials: vault `clients/wolkin/`. diff --git a/clients/rswolkin/onboarding-baselines/FRONT-20260606T133142.json b/clients/wolkin/onboarding-baselines/FRONT-20260606T133142.json similarity index 100% rename from clients/rswolkin/onboarding-baselines/FRONT-20260606T133142.json rename to clients/wolkin/onboarding-baselines/FRONT-20260606T133142.json diff --git a/clients/rswolkin/onboarding-baselines/FRONT-20260606T133142.md b/clients/wolkin/onboarding-baselines/FRONT-20260606T133142.md similarity index 100% rename from clients/rswolkin/onboarding-baselines/FRONT-20260606T133142.md rename to clients/wolkin/onboarding-baselines/FRONT-20260606T133142.md diff --git a/clients/rswolkin/remote-printing-tailscale-plan.md b/clients/wolkin/remote-printing-tailscale-plan.md similarity index 100% rename from clients/rswolkin/remote-printing-tailscale-plan.md rename to clients/wolkin/remote-printing-tailscale-plan.md diff --git a/clients/rswolkin/session-logs/2026-06-05-julie-guda-provisioning.md b/clients/wolkin/session-logs/2026-06-05-julie-guda-provisioning.md similarity index 100% rename from clients/rswolkin/session-logs/2026-06-05-julie-guda-provisioning.md rename to clients/wolkin/session-logs/2026-06-05-julie-guda-provisioning.md diff --git a/clients/rswolkin/session-logs/2026-06-06-mike-gemini-install-rmm-diagnostic-tailscale-planning.md b/clients/wolkin/session-logs/2026-06-06-mike-gemini-install-rmm-diagnostic-tailscale-planning.md similarity index 100% rename from clients/rswolkin/session-logs/2026-06-06-mike-gemini-install-rmm-diagnostic-tailscale-planning.md rename to clients/wolkin/session-logs/2026-06-06-mike-gemini-install-rmm-diagnostic-tailscale-planning.md diff --git a/clients/wolkin-law/session-logs/2026-06-07-mike-zerotier-setup.md b/clients/wolkin/session-logs/2026-06-07-mike-zerotier-setup.md similarity index 100% rename from clients/wolkin-law/session-logs/2026-06-07-mike-zerotier-setup.md rename to clients/wolkin/session-logs/2026-06-07-mike-zerotier-setup.md diff --git a/clients/wolkin/session-logs/2026-06/2026-06-11-mike-printer-rediagnosis-and-slug-consolidation.md b/clients/wolkin/session-logs/2026-06/2026-06-11-mike-printer-rediagnosis-and-slug-consolidation.md new file mode 100644 index 0000000..b1e5a74 --- /dev/null +++ b/clients/wolkin/session-logs/2026-06/2026-06-11-mike-printer-rediagnosis-and-slug-consolidation.md @@ -0,0 +1,72 @@ +# Wolkin Law — Printer re-diagnosis (error 67) + client-slug consolidation + +## User +- **User:** Mike Swanson (mike) +- **Machine:** GURU-5070 +- **Role:** admin + +## Session Summary + +Julie reported "no printers" on RSW-Laptop. Via GuruRMM, confirmed Spooler + ZeroTier running, then established that the only real printer is `\\front\Sharp` (Point-and-Print off FRONT; physical Sharp MX-B557F at office LAN 192.168.1.158). Exhaustively verified the path: ZeroTier up, name resolves (front→10.147.19.199), TCP 445/139 open, **MTU 2800 carries full DF packets** (MTU ruled out), FRONT healthy (spooler running, `Sharp` shared, profile Private, SMB-In allowed), laptop ZT adapter bindings (`ms_msclient`/`ms_server`) all present, both ends' ZT profile Private. Yet `net use \\front\IPC$` (and by IP) fails with **System error 67** and `net view` with **RPC 1702** — and error 67 persists **even with valid `FRONT\julie` credentials**, ruling out auth/firewall/MTU/bindings/profile. Rebooted both machines mid-session (user request); did not change it. + +Mike flagged this as a failure of the session-logs/wiki systems — we "spent two days" on this user/laptop. Investigation showed the work WAS captured but the client was **fragmented across four slugs** (`wolkin`, `wolkin-law`, `rswolkin`, `robert-wolkin`), so neither recall nor I found it, and I re-derived a diagnosis that the 2026-06-07 log already had. That log showed the **same error 67 / RPC 1702** and that Mike cleared it by connecting `\\front\Sharp` **manually/interactively** (scripted `Add-Printer` failed there too). It also flagged "migrate front\julie creds to vault" and "consolidate the slugs" as pending — never actioned. + +Per Mike's "Do all", executed the full remediation: (1) restore-printer test with the recovered credential — confirmed error 67 is NOT auth, so the scripted path can't fix it (needs ScreenConnect/interactive, same as before); (2) vaulted `front\julie` + the M365 user passwords; (3) consolidated the four slugs into canonical `wolkin` (moved logs/baselines, merged + corrected the wiki, stubbed the duplicates), corrected a cross-client agent-id error, and wrote a memory so this fragmentation failure doesn't recur. + +## Key Decisions + +- Canonical slug = `wolkin`. Moved all `rswolkin`/`wolkin-law` logs+baselines into `clients/wolkin/`; left README pointer stubs; merged 3 wiki articles into `wiki/clients/wolkin.md` with `aliases:` for recall; stubbed `wolkin-law.md` + `robert-wolkin.md`. +- Did NOT keep chasing the error-67 SMB quirk scripted — it's a documented wall requiring an interactive fix; logged it loudly in the wiki Patterns instead of burning more cycles. +- Vault secrets only under `credentials:` via the new `vault` skill helper; infra facts stay in the wiki (plaintext, searchable). +- Recommend rotating `front\julie` since its password transited the RMM command log during the authenticated-mount test. + +## Problems Encountered + +- **Error 67 / RPC 1702 SMB wall (RSW-Laptop → FRONT over ZeroTier):** all underlying layers verified healthy; persists with valid creds. Same as 2026-06-07. Resolution: interactive/ScreenConnect connection (pending); root cause of the redirector quirk still unidentified. +- **Client-slug fragmentation:** one client under 4 slugs → 2-day build looked lost. Consolidated. Memory written (`feedback_client_slug_fragmentation.md`). +- **Cross-client data error:** retired `wolkin-law.md` listed FRONT's RMM agent id as `04765560-…` = actually Rednour's FrontDeskReception. Corrected (FRONT = `877d311a-…`). +- **Plaintext creds in wiki:** `wolkin-law.md` held robert/julie passwords in clear — moved to vault, scrubbed by stubbing the file. +- **`Get-NetAdapterBinding -Name "ZeroTier One [..]"` returns empty** — the `[ ]` in the adapter name are PowerShell wildcards; query by `-InterfaceDescription "ZeroTier Virtual Port"` or pipe the adapter object. (This made me twice misread the bindings as missing.) + +## Configuration Changes + +- **Vault (new):** `clients/wolkin/front-julie.sops.yaml` (front\julie local acct); `clients/wolkin/m365-users.sops.yaml` (robert@/julie@ rswolkin.com). +- **Repo moves:** `clients/rswolkin/*` and `clients/wolkin-law/session-logs/*` → `clients/wolkin/` (session-logs, onboarding-baselines, remote-printing-tailscale-plan.md). README stubs left in `clients/rswolkin/`, `clients/wolkin-law/`. +- **Wiki:** rewrote/enriched `wiki/clients/wolkin.md` (canonical — added GuruRMM agent IDs + Site ID, tenant, error-67 Patterns entry, vault pointers, consolidation banner, 2026-06-11 history). Stubbed `wiki/clients/wolkin-law.md` + `wiki/clients/robert-wolkin.md` → `[[wolkin]]`. +- **Memory:** `feedback_client_slug_fragmentation.md` + MEMORY.md index line. +- No repo code changes; RMM dispatches were read-only diagnostics + the two reboots. + +## Credentials & Secrets + +- `front\julie` (local on FRONT + RSW-Laptop) = `Jaylen0607!` → vault `clients/wolkin/front-julie.sops.yaml`. **Recommend rotation** (transited RMM command log during diagnosis). +- M365: robert@rswolkin.com = `Alissa16$!`; julie@rswolkin.com = `Jaylen0607!` → vault `clients/wolkin/m365-users.sops.yaml`. +- `front\Localadmin` exists on both machines (Mike's suggested admin) but its password was never recorded anywhere — still unknown/unvaulted. + +## Infrastructure & Servers + +- ZeroTier mesh `17d709436c834c9b` (10.147.19.0/24): front 10.147.19.199, RSW-Laptop 10.147.19.54. Laptop hosts entry `10.147.19.199 FRONT`. +- FRONT: LAN 192.168.1.153/24, ZeroTier 10.147.19.199. Sharp MX-B557F printer @ 192.168.1.158:9100, shared `\\front\Sharp`. RMM agent `877d311a-4b24-462c-97b1-d2a0f7730a71`. Local admins: Administrator, Localadmin, Owner. +- RSW-Laptop: ZeroTier 10.147.19.54, Wi-Fi 192.168.0.106. Logged-on user `rsw-laptop\julie`. RMM agent `043fd673-35a2-4d3d-8f91-ed73ce70cc1e`. +- DESKTOP-V1JT1SE (Bob's personal, out of scope): RMM `30f6af79-ab19-4ed3-9ebc-71b2bffc2d27`. +- M365 tenant rswolkin.com (`ceb6dbe7-82c8-4d8f-9c6b-49aa26208e9b` — from prior article, unverified). RMM client `Wolkin, Robert` / site `Main` / Site ID `2bb05f85-9fc8-4a7e-a5e5-ffe0c46431ac`. + +## Commands & Outputs + +- `net use \\10.147.19.199\IPC$ /user:FRONT\julie Jaylen0607!` → System error 67 (auth ruled out). +- DF ping sweep laptop→front: payload 2772 (pkt 2800) OK → MTU not the issue. +- `Get-NetAdapterBinding -InterfaceDescription "ZeroTier Virtual Port"` → ms_msclient/ms_server/ms_tcpip all True (bindings fine; `-Name` with brackets returns empty). +- Reboots: RSW-Laptop cmd `5505cdc8`, front cmd `53ac28e1` (both /r /t 15 /f). + +## Pending / Incomplete Tasks + +- **[CRITICAL] Restore Julie's printer** — reconnect `\\front\Sharp` interactively via ScreenConnect as Julie (scripted hits error 67). This is the actual unresolved issue. +- **Rotate `front\julie`** password (exposed in RMM command log); re-vault. +- Identify/vault `front\Localadmin` password (never recorded). +- Root-cause the error-67 SMB-over-ZeroTier redirector quirk (currently worked around manually each time). +- Verify the M365 tenant ID; capture Syncro customer ID + billing model (still `verify`). + +## Reference Information + +- Canonical: `clients/wolkin/`, `wiki/clients/wolkin.md`. Vault: `clients/wolkin/`. +- Syncro ticket #32369 (Remote Work Access Setup). +- Memory: `feedback_client_slug_fragmentation.md`, `feedback_rmm_password_limitation.md`. diff --git a/wiki/clients/robert-wolkin.md b/wiki/clients/robert-wolkin.md index 98ccdd8..85d5d10 100644 --- a/wiki/clients/robert-wolkin.md +++ b/wiki/clients/robert-wolkin.md @@ -1,125 +1,17 @@ --- type: client name: robert-wolkin -display_name: Robert Wolkin -last_compiled: 2026-06-06 -compiled_by: GURU-5070/claude-main -sources: - - (stub — created 2026-06-06 during Tailscale planning; no session logs yet) -backlinks: - - patterns/tailscale-client-management +display_name: Robert Wolkin (consolidated → wolkin) +last_compiled: 2026-06-11 +redirect: wolkin --- -# Robert Wolkin +# Robert Wolkin → see [[wolkin]] -> **STUB** — created 2026-06-06 to track the Tailscale rollout. Most profile fields are -> not yet captured; fill in from Syncro / first session log. Do not treat `[unverified]` -> fields as fact. +This was a Tailscale-era stub (2026-06-06) for the same client now documented canonically +as **[[wolkin]]** (slug `wolkin`). **Consolidated 2026-06-11.** -## Profile - -- **Company type:** [unverified] -- **Contract type:** [unverified] -- **Key contacts:** Robert Wolkin — [contact details unverified] -- **Environment:** Very small office, non-technical users (enroll/manage everything for - them; no self-service login expected). GuruRMM shows 3 Windows 11 Home agents, but only - **two are in the Tailscale scope: RSW-Laptop and front**. `DESKTOP-V1JT1SE` is Bob's - personal machine and is intentionally **not** part of the Tailscale setup. -- **Syncro customer ID:** [unverified] -- **GuruRMM client name:** `Wolkin, Robert` (Last, First) — note the form differs from - this article's display name. - -## Infrastructure - -### Tailscale (active rollout) - -Per [[patterns/tailscale-client-management]] — **dedicated client-owned tailnet, ACG holds -Admin**. **Goal: RSW-Laptop accesses shared files AND a shared printer on `front`** (the -front-desk PC) over the tailnet. Only those two nodes are enrolled; Bob's personal -`DESKTOP-V1JT1SE` is out of scope. - -Files + printer run over plain **SMB to `front`'s Tailscale address** — no subnet router -needed (both live on a node). See the Windows files/printer section in the pattern. - -**[CONFIRM] Printer type:** is it **USB-attached to `front`** (→ Windows print share, SMB) or a -**separate network printer** on the office LAN that `front` prints to (→ would need a subnet -router on `front` advertising that LAN, or install it by IP on the laptop)? This changes the -design — verify before the printer step. - -| Field | Value | -|---|---| -| Tailnet identity (IdP / owner account) | [to fill — Robert's M365/Google or dedicated admin account] | -| Plan | [to fill — free tier functional; Starter ~$6/user/mo for commercial footing] | -| ACG admin identity (your seat) | [to fill] | -| Device tag | `tag:wolkin` (suggested) | -| MagicDNS | [enable] | -| Auth key (reusable, pre-approved, tagged) | store in vault: `clients/robert-wolkin/tailscale-authkey.sops.yaml` | -| Key rotation due | [to fill — ~90 days from issue] | - -| Scope | Hostname | Tailscale 100.x | Notes | -|---|---|---|---| -| **In scope** | RSW-Laptop | [after enroll] | Robert's laptop — connects out to `front` | -| **In scope** | front | [after enroll] | Front-desk PC — the target the laptop reaches | -| Out of scope | DESKTOP-V1JT1SE | — | Bob's personal machine; NOT enrolled in Tailscale | - -Enrollment: push [`patterns/tailscale-client-enroll.ps1`](../patterns/tailscale-client-enroll.ps1) -from GuruRMM with the auth key as a masked parameter (RSW-Laptop + front only). - -**Post-connect config (push via GuruRMM after both nodes are up):** - -*On `front` (host):* -1. Firewall — allow SMB only over the tailnet: - `New-NetFirewallRule -DisplayName "Tailscale SMB (files+print)" -Direction Inbound -Action Allow -Protocol TCP -LocalPort 445 -RemoteAddress 100.64.0.0/10` -2. Confirm/create the **file share** + a **local user account** for the laptop to authenticate - as (Win 11 Home, no domain, insecure guest disabled → real creds required); grant share+NTFS. -3. Confirm the **printer share** (if USB-attached to `front`). - -*On `RSW-Laptop` (client):* -4. Map the share by FQDN/IP: `\\front..ts.net\` (save creds via `cmdkey`). -5. Add the printer `\\front..ts.net\` — install the driver via RMM - (SYSTEM) to dodge Point-and-Print admin prompts for the non-technical user. - -### Servers & Services / Email & Identity / Network - -Not yet documented. [unverified] - -## GuruRMM - -- **Client name:** `Wolkin, Robert` -- **Site name:** `Main` -- **Site ID:** `2bb05f85-9fc8-4a7e-a5e5-ffe0c46431ac` -- **Enrolled agents (3, all online as of 2026-06-06, Windows 11 Home 25H2 build 26200, agent v0.6.57):** - -| Hostname | Agent ID | Notes | -|---|---|---| -| DESKTOP-V1JT1SE | `30f6af79-ab19-4ed3-9ebc-71b2bffc2d27` | **Bob's personal machine — NOT in Tailscale scope** | -| RSW-Laptop | `043fd673-35a2-4d3d-8f91-ed73ce70cc1e` | Robert's laptop — Tailscale node | -| front | `877d311a-4b24-462c-97b1-d2a0f7730a71` | Front-desk PC — Tailscale node (laptop connects here) | - -- **Enrollment key:** [unverified — not located in vault during this pass; check `clients/robert-wolkin/` or regenerate] - -## Access - -- **Vault path:** `clients/robert-wolkin/` (no entries yet) -- **Syncro:** [unverified] - -## Active Work - -- **Tailscale rollout (2026-06-06):** Stand up Robert's tailnet, assign ACG as Admin, set - the `tag:wolkin` ACL + MagicDNS, generate a reusable/pre-approved tagged auth key, and - enroll **RSW-Laptop + front** via the GuruRMM script (agent IDs above), then push the - post-connect SMB config so RSW-Laptop can reach **files + the shared printer on `front`**. - Do NOT enroll DESKTOP-V1JT1SE (Bob's personal machine). Open item: confirm printer type - (USB-attached vs network). Runbook + Windows files/printer gotchas in - [[patterns/tailscale-client-management]]. - -## History Highlights - -| Date | Event | -|---|---| -| 2026-06-06 | Tailscale client management pattern + enroll script authored; this client stub created to track the rollout. | -| 2026-06-06 | GuruRMM scan: client `Wolkin, Robert` / site `Main` has 3 online Windows 11 Home agents (DESKTOP-V1JT1SE, RSW-Laptop, front), agent v0.6.57. Discrepancy flagged: expected 2 machines, found 3. | - -## Backlinks - -- [[patterns/tailscale-client-management]] — MSP Tailscale management pattern + enroll script +The Tailscale plan captured here was superseded — the client was deployed on **ZeroTier** +instead (mesh `17d709436c834c9b`). The accurate RMM agent IDs, Site ID, and current +infrastructure are in [[wolkin]]. The original Tailscale plan doc is preserved at +`clients/wolkin/remote-printing-tailscale-plan.md`. diff --git a/wiki/clients/wolkin-law.md b/wiki/clients/wolkin-law.md index 8ff5592..f1d8abe 100644 --- a/wiki/clients/wolkin-law.md +++ b/wiki/clients/wolkin-law.md @@ -1,361 +1,22 @@ -# Wolkin Law (Robert S. Wolkin, Esq.) - -**Client Type:** Legal Services -**Service Model:** Per-incident / Ad-hoc -**Primary Contact:** Robert Wolkin (robert@rswolkin.com) -**Remote Assistant:** Julie (julie@rswolkin.com) -**Syncro ID:** Not documented -**GuruRMM Client:** Wolkin, Robert / Main -**Last Compiled:** 2026-06-07 -**Compiled By:** Mikes-MacBook-Air/claude-main - +--- +type: client +name: wolkin-law +display_name: Wolkin Law (consolidated → wolkin) +last_compiled: 2026-06-11 +redirect: wolkin --- -## Overview +# Wolkin Law → see [[wolkin]] -Solo law practice operated by Robert Wolkin with remote administrative assistance from Julie. Practice operates from a physical office location with a primary workstation (FRONT) and requires remote file access for Julie working from a separate location (RSW-Laptop). Infrastructure is minimal but critical for daily operations, focusing on secure remote file sharing and M365 collaboration. +This was a duplicate article for the same client, recorded under multiple slugs +(`wolkin` / `wolkin-law` / `rswolkin` / `robert-wolkin`). **Consolidated 2026-06-11 +into the canonical article [[wolkin]] (slug `wolkin`).** ---- +All current content — infrastructure, RMM agent IDs, ZeroTier/SMB/printer details, +credentials, and history — lives there. -## Current State - -### Active Services -- **Remote Access VPN**: ZeroTier mesh network (network 17d709436c834c9b) connecting office and remote workstations -- **File Sharing**: SMB shares from FRONT (Scans, Forms, Pleadings) accessed via persistent network drives on RSW-Laptop -- **M365 Mailbox Delegation**: Julie has FullAccess permissions to Robert's mailbox with AutoMapping enabled -- **GuruRMM Monitoring**: 3 Windows 11 agents enrolled (FRONT, RSW-Laptop, DESKTOP-V1JT1SE) -- **Software Deployment**: Office 365 and Adobe Creative Cloud Desktop being deployed to RSW-Laptop - -### Service Delivery Model -Per-incident work with no documented prepaid block or recurring monthly agreement. Work is performed on-demand as needs arise. - -### Recent Activity -- **2026-06-07**: ZeroTier VPN deployment, file sharing configuration, M365 mailbox delegation, software installation - ---- - -## Infrastructure - -### Network Architecture - -#### ZeroTier Mesh VPN -- **Network ID**: `17d709436c834c9b` -- **Network Type**: Private mesh (peer-to-peer) -- **Subnet**: 10.147.19.0/24 -- **Purpose**: Secure remote file access between office and remote locations - -Connected nodes: -- **FRONT** (office PC): 10.147.19.199, Node ID `0c00b9917a` -- **RSW-Laptop** (remote): 10.147.19.54, Node ID `2a497be947` - -DNS resolution provided via hosts file entries on both machines for `FRONT` and `RSW-Laptop` hostnames. - -#### Office Network -- **Printer**: RICOH network printer at 172.17.110.110 (Standard TCP/IP Port 9100) -- **Printer Driver**: RICOH PCL6 UniversalDriver V4.33 -- **Office Subnet**: 172.17.0.0/16 (assumed based on printer IP) - -The office network is NOT routed through ZeroTier; only the office PC participates in the mesh for file sharing purposes. Printer access from remote locations is not currently configured. - -### Systems - -#### FRONT (Office Workstation) -- **Role**: Primary office workstation, file share host -- **OS**: Windows 11 -- **ZeroTier IP**: 10.147.19.199 -- **GuruRMM Agent ID**: `04765560-3e8a-46e5-a507-c5f5f4ead6eb` -- **Local User**: julie (Administrator group) -- **Desktop Redirection**: OneDrive (owner's account) - -**SMB Shares**: -- `\\FRONT\Scans` → `C:\Scans` -- `\\FRONT\Forms` → `C:\Users\Owner\OneDrive\Desktop\Forms` -- `\\FRONT\Pleadings` → `C:\Users\Owner\OneDrive\Desktop\Pleading Forms and Filing` -- `\\FRONT\RICOH` → RICOH printer share (access issues unresolved) - -**Permissions**: Local user `julie` has NTFS FullControl on all shared folders (Scans, Forms, Pleadings). - -#### RSW-Laptop (Remote Laptop) -- **Role**: Julie's remote workstation -- **OS**: Windows 11 -- **ZeroTier IP**: 10.147.19.54 -- **GuruRMM Agent ID**: `043fd673-35a2-4d3d-8f91-ed73ce70cc1e` -- **Local User**: julie (Administrator group) - -**Network Drives** (persistent, mapped via `net use` with credentials): -- `S:` → `\\FRONT\Scans` -- `F:` → `\\FRONT\Forms` -- `P:` → `\\FRONT\Pleadings` - -**Desktop Shortcuts** (UNC paths for resilience): -- `Scans.lnk` → `\\FRONT\Scans` -- `Forms.lnk` → `\\FRONT\Forms` -- `Pleading Forms and Filing.lnk` → `\\FRONT\Pleadings` - -**Software Installed/Deploying**: -- Microsoft 365 (Office Deployment Tool 17830-20162, O365BusinessRetail, 64-bit, silent install in progress) -- Adobe Creative Cloud Desktop 6.0.0.660 (silent install in progress) - -#### DESKTOP-V1JT1SE -- **Role**: Personal machine (Bob's personal device) -- **Status**: Out of scope for MSP services -- **GuruRMM**: Enrolled but not managed - -### M365 Tenant - -**Domain**: rswolkin.com -**Tenant ID**: `ceb6dbe7-82c8-4d8f-9c6b-49aa26208e9b` - -**Licensed Users**: -- **robert@rswolkin.com**: Primary user (Robert Wolkin) - - Password: `Alissa16$!` (for Adobe Creative Cloud sign-in) -- **julie@rswolkin.com**: Remote assistant - - Password: `Jaylen0607!` - - Mailbox Permissions: FullAccess to robert@rswolkin.com with AutoMapping enabled - -**ComputerGuru MSP Apps**: At least Exchange Operator app is consented (used for mailbox delegation). Other ACG apps (Security Investigator, User Manager, Tenant Admin, Defender Add-on) consent status not documented. - ---- - -## Credentials - -All credentials are stored in vault at `clients/wolkin-law/*.sops.yaml` and user profile settings. - -### Local Accounts -- **julie** (both FRONT and RSW-Laptop): `Jaylen0607!` - - Role: Administrator on both machines - - Matches M365 password for convenience - -### M365 Accounts -- **julie@rswolkin.com**: `Jaylen0607!` -- **robert@rswolkin.com**: `Alissa16$!` - -### ZeroTier -- **Network ID**: `17d709436c834c9b` -- **Access**: Managed via ZeroTier Central web console - ---- - -## Known Issues & Limitations - -### HIGH: GuruRMM Password Setting Bug - -**Discovery Date**: 2026-06-07 -**Impact**: Critical - affects user account provisioning -**Status**: Documented in `.claude/memory/feedback_rmm_password_limitation.md` - -All password-setting commands executed via GuruRMM (PowerShell `Set-LocalUser`, PowerShell `net user`, CMD `net user`) return exit code 0 and "The command completed successfully" but fail to actually set the password. Verification with `net user ` shows "Password required: No" and authentication fails. - -**Workaround**: Use ScreenConnect for all password operations. The identical commands work correctly when executed via ScreenConnect, ruling out privilege issues (both run as SYSTEM). The bug is specific to GuruRMM's Windows agent process spawning mechanism. - -**Investigation Status**: Requires inspection of GuruRMM agent command execution code. High priority for platform stability. - -### MEDIUM: RICOH Printer Access from Remote - -**Discovery Date**: 2026-06-07 -**Impact**: Medium - printer access from remote location not functional -**Status**: Deferred for later investigation - -The RICOH network printer (172.17.110.110) is shared from FRONT as `\\FRONT\RICOH` but the RSW-Laptop receives access denied errors when attempting to connect. The printer is on the office LAN (172.17.0.0/16) which is not routed through ZeroTier. - -**Decision Point**: Two options considered: -1. Route entire 172.17.0.0/16 office subnet through ZeroTier (rejected for security/complexity) -2. Fix printer sharing permissions over ZeroTier mesh (chosen approach, not yet resolved) - -**Next Steps**: Investigate printer share permissions and credential passthrough behavior over ZeroTier connections. - -### LOW: Software Installation Verification Pending - -**Status**: In Progress -**Impact**: Low - installations were started and running at session end - -Office 365 and Adobe Creative Cloud Desktop installations were initiated on RSW-Laptop via silent installers but were still running in background when the session concluded. Installation completion and software functionality have not been verified. - -**Next Steps**: -- Verify Office 365 installation completed successfully -- Verify Adobe Creative Cloud Desktop installation completed successfully -- Test application launches and licensing activation - -### LOW: Mailbox AutoMapping Propagation - -**Status**: Waiting for propagation (5-15 minutes typical) -**Impact**: Low - mailbox access was granted, just waiting for Outlook auto-configuration - -Julie was granted FullAccess permissions to Robert's mailbox with AutoMapping enabled. The permission was successfully applied via Exchange Operator app API, but the mailbox won't appear automatically in Julie's Outlook until the AutoMapping propagates. - -**Next Steps**: Verify Robert's mailbox appears in Julie's Outlook client without manual configuration. - ---- - -## Patterns & Decisions - -### ZeroTier over Tailscale -**Decision Date**: 2026-06-07 - -Client specifically requested ZeroTier instead of Tailscale for the VPN solution. Existing Tailscale 1.98.4 installations were removed from both FRONT and RSW-Laptop, and ZeroTier 1.16.2 was deployed in their place. - -**Rationale**: Client preference (specific reason not documented). - -**Related Pattern**: Documented Tailscale client management pattern exists (see `wiki/patterns/tailscale-client-management.md`) but is not applicable to this client. - -### Hostname-Based UNC Paths -**Decision Date**: 2026-06-07 - -Desktop shortcuts initially used drive letters (`S:\`, `F:\`, `P:\`) but were updated to UNC paths using the `FRONT` hostname (`\\FRONT\Scans`, etc.) after the mapped drives disconnected. - -**Rationale**: UNC paths provide better resilience. If mapped drives disconnect or IP addresses change, the shortcuts continue working as long as the hostname resolves. Hosts file entries provide static DNS resolution for the FRONT hostname on the ZeroTier network. - -### Administrator Access for Remote User -**Decision Date**: 2026-06-07 - -Julie's local account on RSW-Laptop was added to the Administrators group instead of standard Users group. - -**Rationale**: Simplifies access and troubleshooting for remote work scenarios. Julie requires software installation capabilities and full system access for her role. - -**Security Consideration**: Acceptable risk for a two-user practice with trusted remote assistant. - -### SMB File Sharing vs. Cloud Storage -**Decision Date**: 2026-06-07 (implicit) - -File sharing is implemented via SMB over ZeroTier mesh rather than migrating to OneDrive/SharePoint shared folders. - -**Rationale**: -- Owner's desktop is already redirected to OneDrive -- Existing file organization and workflows remain intact -- No user training required for cloud storage paradigm -- Forms and Pleadings folders already stored in OneDrive (but accessed via SMB) - -**Trade-off**: Requires VPN connectivity and FRONT to be online. No offline access to files from RSW-Laptop. - ---- - -## History - -### 2026-06-07: ZeroTier VPN Deployment & Remote Access Configuration -**Work Performed By**: Mike Swanson -**Session Log**: `clients/wolkin-law/session-logs/2026-06-07-mike-zerotier-setup.md` - -Deployed ZeroTier mesh VPN to connect office PC (FRONT) with Julie's remote laptop (RSW-Laptop) for secure file sharing. Removed existing Tailscale installations and installed ZeroTier 1.16.2 on both machines, joining network 17d709436c834c9b with IPs 10.147.19.199 (FRONT) and 10.147.19.54 (RSW-Laptop). Added bidirectional hosts file entries for hostname resolution. - -Created local `julie` user accounts on both machines (Administrator group) with matching M365 credentials. Encountered and documented critical GuruRMM bug where password-setting commands complete successfully but fail to actually set passwords; worked around using ScreenConnect. - -Configured SMB file sharing for three folders (Scans at C:\Scans, Forms and Pleadings in OneDrive\Desktop). Granted julie NTFS FullControl permissions on all three. Mapped persistent network drives (S:, F:, P:) on RSW-Laptop and created desktop shortcuts using UNC paths (\\FRONT\...) for resilience. - -Granted julie@rswolkin.com FullAccess permissions to robert@rswolkin.com's M365 mailbox using ComputerGuru Exchange Operator app. Enabled AutoMapping for automatic mailbox appearance in Outlook. - -Initiated Office 365 and Adobe Creative Cloud Desktop installations on RSW-Laptop (silent installs running at session end). Investigated printer sharing for RICOH network printer but encountered access denied errors; deferred for later investigation. - -**Key Deliverables**: -- Functional remote file access via ZeroTier VPN -- Three SMB shares accessible from remote location -- M365 mailbox delegation configured -- Software deployment in progress -- GuruRMM password bug documented for platform team - -**Deferred Items**: -- RICOH printer access from remote -- Office/Adobe installation verification -- File share access testing from Julie's actual user session (all testing was SYSTEM context) - ---- - -## Compliance & Security Considerations - -### Data Protection -- **Attorney-Client Privileged Material**: All file shares contain legal documents and case files subject to attorney-client privilege -- **Encryption**: ZeroTier provides encrypted mesh networking (AES-256) -- **Access Control**: SMB shares require authentication; only `julie` local account has permissions -- **Physical Security**: FRONT is at office location; RSW-Laptop location not documented - -### M365 Security Posture -- **MFA Status**: Not documented -- **Conditional Access**: Not documented -- **Mailbox Delegation Audit**: Julie has FullAccess to Robert's mailbox (appropriate for assistant role) -- **Data Loss Prevention**: Not documented - -**Recommendation**: Enable MFA for both M365 accounts (robert@rswolkin.com and julie@rswolkin.com) to protect against credential compromise, especially given the sensitive nature of legal communications. - -### Network Security -- **VPN Type**: ZeroTier mesh (peer-to-peer, not hub-and-spoke) -- **Office Firewall**: Not documented -- **Endpoint Protection**: Not documented -- **Patch Management**: GuruRMM monitoring in place but update policies not documented - ---- - -## Service Delivery Notes - -### Communication Patterns -- Primary contact via Robert Wolkin (robert@rswolkin.com) -- No documented SLA or response time expectations -- Per-incident service model (user initiates contact when issues arise) - -### Billing Model -Not documented. No prepaid block or monthly recurring charge noted. - -### Session Logs -All work sessions stored in `clients/wolkin-law/session-logs/` subdirectory. - ---- - -## Related Documentation - -### Wiki Articles -- [Tailscale Client Management Pattern](../patterns/tailscale-client-management.md) - Not applicable (client uses ZeroTier) -- [GuruRMM Project](../projects/gururmm.md) - Platform documentation including known issues - -### Session Logs -- [2026-06-07: ZeroTier VPN Setup](../../clients/wolkin-law/session-logs/2026-06-07-mike-zerotier-setup.md) - -### Memory Items -- `.claude/memory/feedback_rmm_password_limitation.md` - GuruRMM password bug documentation - -### Vault Entries -- `clients/wolkin-law/*.sops.yaml` - Client credentials (exact structure not documented) - ---- - -## Quick Reference - -### File Share Access (from Remote) -```cmd -S: → \\FRONT\Scans -F: → \\FRONT\Forms -P: → \\FRONT\Pleadings -``` - -### Remap Drives (if disconnected) -```cmd -net use S: \\FRONT\Scans /user:FRONT\julie Jaylen0607! /persistent:yes -net use F: \\FRONT\Forms /user:FRONT\julie Jaylen0607! /persistent:yes -net use P: \\FRONT\Pleadings /user:FRONT\julie Jaylen0607! /persistent:yes -``` - -### ZeroTier Management -```cmd -# View network status -"C:\Program Files (x86)\ZeroTier\One\zerotier-cli.bat" listnetworks - -# View node info -"C:\Program Files (x86)\ZeroTier\One\zerotier-cli.bat" info -``` - -### GuruRMM Agent IDs -- **FRONT**: `04765560-3e8a-46e5-a507-c5f5f4ead6eb` -- **RSW-Laptop**: `043fd673-35a2-4d3d-8f91-ed73ce70cc1e` -- **DESKTOP-V1JT1SE**: Not documented (out of scope) - ---- - -## Sources - -This article was compiled from: -- Session log: `clients/wolkin-law/session-logs/2026-06-07-mike-zerotier-setup.md` -- GuruRMM platform data (agent enrollment, client structure) -- M365 tenant configuration via remediation tool -- Direct observation during VPN deployment and file sharing configuration - -**Compilation Methodology**: Full initial compilation from first comprehensive work session. No prior wiki article existed; previous wiki index entry was a stub referencing "Robert Wolkin" as a separate entry. - -**Last Updated**: 2026-06-07 -**Next Review**: After completion of pending items (printer access, software installation verification, file share user testing) +> Note: this file previously contained plaintext M365/local passwords. Those were removed +> and moved to the vault: `clients/wolkin/front-julie.sops.yaml` and +> `clients/wolkin/m365-users.sops.yaml`. It also listed an incorrect FRONT RMM agent id +> (`04765560-…`, which is actually Rednour's FrontDeskReception) — the correct value is in +> [[wolkin]]. diff --git a/wiki/clients/wolkin.md b/wiki/clients/wolkin.md index 801618e..accf997 100644 --- a/wiki/clients/wolkin.md +++ b/wiki/clients/wolkin.md @@ -2,17 +2,27 @@ type: client name: wolkin display_name: Wolkin Law -last_compiled: 2026-06-08 -compiled_by: GURU-BEAST-ROG/claude-main +last_compiled: 2026-06-11 +compiled_by: GURU-5070/claude-main +aliases: [wolkin-law, rswolkin, robert-wolkin, "Wolkin, Robert"] sources: + - clients/wolkin/session-logs/2026-06-05-julie-guda-provisioning.md + - clients/wolkin/session-logs/2026-06-06-mike-gemini-install-rmm-diagnostic-tailscale-planning.md + - clients/wolkin/session-logs/2026-06-07-mike-zerotier-setup.md - clients/wolkin/session-logs/2026-06-07-mike-wolkin-remote-access-printer.md - clients/wolkin/session-logs/2026-06-07-mike-wolkin-clientfiles-printshare.md - clients/wolkin/session-logs/2026-06-08-mike-wolkin-clientfiles-consolidation.md + - clients/wolkin/onboarding-baselines/FRONT-20260606T133142.md backlinks: [] --- # Wolkin Law +> **CANONICAL ARTICLE.** This one client was previously fragmented across four slugs — +> `wolkin`, `wolkin-law`, `rswolkin`, `robert-wolkin` (RMM client name: `Wolkin, Robert`; +> M365 tenant `rswolkin.com`). Consolidated here 2026-06-11; the other client dirs and wiki +> articles are now pointer stubs. Always use slug **`wolkin`**. + ## Profile - **Contract type:** (verify — check Syncro) - **Key contacts:** @@ -34,8 +44,23 @@ backlinks: [] **Total Assets:** (verify — check Syncro) +### GuruRMM + +- **Client name:** `Wolkin, Robert` · **Site:** `Main` · **Site ID:** `2bb05f85-9fc8-4a7e-a5e5-ffe0c46431ac` +- **Enrolled agents** (Windows 11 Home; resolve live — UUIDs change on re-enroll): + +| Hostname | Agent ID | Scope | +|---|---|---| +| **front** (office PC / print + file server) | `877d311a-4b24-462c-97b1-d2a0f7730a71` | in scope | +| **RSW-Laptop** (Julie's remote laptop) | `043fd673-35a2-4d3d-8f91-ed73ce70cc1e` | in scope | +| DESKTOP-V1JT1SE (Bob's personal desktop) | `30f6af79-ab19-4ed3-9ebc-71b2bffc2d27` | **out of scope** (personal) | + +> [WARNING] The retired `wolkin-law.md` article listed FRONT's agent id as +> `04765560-3e8a-46e5-a507-c5f5f4ead6eb` — that is **Rednour's FrontDeskReception**, a +> cross-client error. FRONT (Wolkin) is `877d311a-…`. + ### Email & Identity -- **M365 Tenant:** rswolkin.com +- **M365 Tenant:** rswolkin.com (tenant ID `ceb6dbe7-82c8-4d8f-9c6b-49aa26208e9b` — from prior article, verify) - **Licensed Users:** - robert@rswolkin.com (primary) - julie@rswolkin.com (assistant - has FullAccess delegation to robert@'s mailbox) @@ -54,14 +79,16 @@ backlinks: [] - `\\front\Sharp` → Sharp MX-B557F print share ## Access -- **FRONT\julie:** Local Windows account (password in session log 2026-06-07 or vault TBD) -- **RDP/SSH:** None configured -- **VPN:** ZeroTier mesh network 17d709436c834c9b (all 3 machines enrolled) -- **Vault path:** `clients/wolkin/` (credentials TBD - migrate from session log) +- **FRONT\julie** (local Windows acct on both FRONT and RSW-Laptop; used for laptop→FRONT SMB/print auth): vault **`clients/wolkin/front-julie.sops.yaml`** (vaulted 2026-06-11). +- **M365 users** (robert@ / julie@ rswolkin.com): vault **`clients/wolkin/m365-users.sops.yaml`** (vaulted 2026-06-11; previously plaintext in the retired wolkin-law.md). +- **RDP/SSH:** None configured. **ScreenConnect:** used for hands-on (the GuruRMM agent cannot set local passwords — see Patterns). +- **VPN:** ZeroTier mesh `17d709436c834c9b` (10.147.19.0/24) — front 10.147.19.199, RSW-Laptop 10.147.19.54. `front` resolves via a hosts entry on the laptop (`10.147.19.199 FRONT`). +- **Vault path:** `clients/wolkin/` ## Patterns & Known Issues - **macOS Syncro JSON parsing:** Syncro customer lookup from Mac failed due to JSON parsing issues (2026-06-07). Use Windows PC for Syncro API operations or manual web portal lookups. -- **ZeroTier print RPC needs Private profile:** File-and-Printer-Sharing inbound rules (incl. Print Spooler RPC) apply to the Private profile only. The ZeroTier interface was Public on both FRONT and RSW-Laptop, which blocked print/RPC over ZT while file SMB still worked. Fix: set the ZT interface Private on both ends. +- **ZeroTier print RPC needs Private profile:** File-and-Printer-Sharing inbound rules (incl. Print Spooler RPC) apply to the Private profile only. The ZeroTier interface was Public on both FRONT and RSW-Laptop, which blocked print/RPC over ZT while file SMB still worked. Fix: set the ZT interface Private on both ends. (Confirmed still Private both ends 2026-06-11.) +- **[KNOWN WALL] RSW-Laptop SMB to FRONT fails `net use`/`net view` with error 67 / RPC 1702 — scripted connection does NOT work; connect interactively.** First hit 2026-06-07, again 2026-06-11. Symptom: `net use \\FRONT\IPC$` (and by IP `\\10.147.19.199\IPC$`) → **System error 67 "network name cannot be found"**, `net view \\FRONT` → **1702 "binding handle invalid"** — even though everything underneath is healthy: ZeroTier up, name resolves, **TCP 445/139 open**, MTU 2800 carries full DF packets, FRONT spooler running + `Sharp` shared + profile Private + SMB-In allowed, laptop ZT adapter bindings (`ms_msclient`/`ms_server`) all present, and **error 67 persists even with valid `FRONT\julie` creds** (so it is NOT auth, NOT firewall, NOT MTU, NOT bindings, NOT profile). The scripted `Add-Printer -ConnectionName \\FRONT\Sharp` also throws error 67. **What works: a hands-on interactive connection via ScreenConnect as Julie** (how Mike cleared it 2026-06-07). Root cause of the redirector quirk over ZeroTier is still unidentified; do NOT burn hours re-deriving the plumbing — it is all verified clean. Diagnostic tip: `Get-NetAdapterBinding -Name "ZeroTier One [..]"` returns empty because the `[ ]` in the adapter name are treated as wildcards — query by `-InterfaceDescription "ZeroTier Virtual Port"` or pipe the adapter object. - **Canonical data is local, not OneDrive:** the firm's repository is `C:\Shared Data\CLIENT FILES` on FRONT (local). OneDrive copies under `OneDrive\Documents` / `OneDrive\Shared Data` were stale predecessors from a defunct Resilio/ownCloud sync setup — consolidated and removed 2026-06-08. Win11 Home does not surface the Explorer "Previous Versions" tab; VSS restores are admin-side (mount the shadow volume). ## Active Work @@ -71,9 +98,14 @@ backlinks: [] - [x] M365 mailbox delegation (Julie → Robert FullAccess) - [x] Printer access via ZeroTier (Sharp `\\front\Sharp` over ZT; ZT set Private both ends; FRONT moved to TCP/IP 9100) - [x] ClientFiles share repointed to canonical `C:\Shared Data\CLIENT FILES` + data consolidated + VSS enabled (2026-06-08) -- **Open follow-ups:** Bob to file the 67 loose docs in `CLIENT FILES\Closed Files\_From OneDrive Documents`; migrate `front\julie` password to vault `clients/wolkin/`; consolidate the three Wolkin client slugs (`wolkin`/`wolkin-law`/`rswolkin`). +- **Open follow-ups:** + - [ ] **RSW-Laptop printer broken again (2026-06-11):** Julie reports "no printers." `\\front\Sharp` is mapped but the SMB session to FRONT fails (error 67 — see Patterns). Plumbing verified clean; needs a **ScreenConnect/interactive reconnect** as Julie (scripted won't work). Consider rotating `front\julie` afterward (its password transited the RMM command log during diagnosis). + - [x] **Migrate `front\julie` + M365 creds to vault** — DONE 2026-06-11 (`clients/wolkin/front-julie.sops.yaml`, `clients/wolkin/m365-users.sops.yaml`). + - [x] **Consolidate the four Wolkin slugs** — DONE 2026-06-11 (canonical `wolkin`; wolkin-law/rswolkin/robert-wolkin stubbed). + - [ ] Bob to file the 67 loose docs in `CLIENT FILES\Closed Files\_From OneDrive Documents`. ## History Highlights +- **2026-06-11:** Printer re-reported down (Julie "no printers"). Full re-diagnosis via RMM: confirmed the error-67 SMB wall (see Patterns) — plumbing all clean, needs interactive fix. **Data-hygiene remediation:** consolidated the four fragmented client slugs into canonical `wolkin`; moved all scattered logs/baselines into `clients/wolkin/`; vaulted `front\julie` + the M365 user passwords (which had been sitting plaintext in the wiki / only in session logs); corrected the cross-client FRONT agent-id error; captured the error-67 gotcha as a memory. - **2026-06-08:** ClientFiles corrected to the real local repo + full consolidation + VSS - Repointed `\\front\ClientFiles` to canonical `C:\Shared Data\CLIENT FILES` (413 matters); tightened share ACL; `front\julie` NTFS Modify - Added Client Files desktop icons on FRONT (local) and Bob's DESKTOP-V1JT1SE (UNC)