azcomputerguru/claudetools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

sync: auto-sync from GURU-5070 at 2026-06-12 05:57:38

Browse Source 
Author: Mike Swanson
Machine: GURU-5070
Timestamp: 2026-06-12 05:57:38
This commit is contained in:
Mike Swanson
2026-06-12 05:58:05 -07:00
parent d1e02293c5
commit fd99ee327c
47 changed files with 1825 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
wiki/clients/peaceful-spirit.md
View File

@@ -122,7 +122,7 @@ Massage therapy practice with at least two sites: Country Club (primary, all wor
- **UDR Ultra reboot can silently drop the VPN port-forward (site-wide outage risk).** Confirmed 2026-06-04: the UDR Ultra (UCG-PST-CC) rebooted at 03:59 and came back without the UDP 500/4500 -> 192.168.0.2 port-forward, taking the entire site VPN offline with error 789 (IKE packets silently dropped at the edge). The `/data/on_boot.d/10-vpn-portforward.sh` persistence script was present but the UniFi OS 5.1.15 controller schema migration appears to have superseded it. **After any site-wide error 789, check the UDR port-forward in the UniFi controller FIRST** — IPsec auditing on the server (zero IKE events) is the confirmatory test. Long-term open items: (1) verify the re-added rule persists across a deliberate reboot (possible firmware bug or uncommitted rule), (2) add a DDNS hostname so the hardcoded 98.190.129.150 in client profiles is not a single point of failure for a Cox WAN-IP change.
- **UCG iptables DNAT required — UniFi Traffic Rules are firewall-allow only, NOT DNAT.** Port-forward rules must be managed via the UniFi controller UI; `/data/on_boot.d/10-vpn-portforward.sh` is a legacy CLI fallback and may not persist reliably on UniFi OS 5.1.15+ (see above). Always verify iptables live after a reboot.
- **UCG SSH unreachable from office WAN.** All remote UCG administration must go through GuruRMM (for PST-SERVER) or the UniFi cloud portal (for UCG itself). LAN SSH (192.168.0.10) requires keyboard-interactive auth — password auth via plink fails; use paramiko with kb_handler or interactive terminal.
- **GuruRMM PowerShell invocation quirk.** Running `command_type: powershell` fails on PST machines with "-OutputEncoding is not recognized." Use `command_type: cmd` and call `powershell.exe` explicitly within the script body.
- **GuruRMM command_type — use `powershell` or `shell`, NOT a made-up type (RESOLVED 2026-06-12).** The old advice here ("use `command_type: cmd` and call powershell.exe") was wrong on two counts: (1) the `-OutputEncoding` PowerShell failure it worked around is fixed in the agent (it sets `[Console]::OutputEncoding` inline, so `command_type: "powershell"` works on PST machines); (2) the agent's `CommandType` enum only accepts `shell`, `powershell`, `python`, `script`, `claude_task` (+ alias `cmd` → shell, added 2026-06-12). A command with an **unknown** `command_type` (e.g. the bare `cmd` before the alias) fails the agent's whole-message JSON parse and is **silently dropped** — no ack, no result — which looks exactly like a network black-hole and cost a long mis-diagnosis. Always use `powershell` (runs powershell.exe, UTF-8 fixed) or `shell`/`cmd` (runs cmd.exe). The agent now also NAKs an unparseable command so it fails fast instead of black-holing.
- **Machine cert template (PEACEFULSPIRIT-PST-SERVER-CA / Machine template).** `msPKI-Certificate-Name-Flag` was changed from `0x18000000` to `0x1` (ENROLLEE_SUPPLIES_SUBJECT) on 2026-05-11. This is a domain-wide template change. New machine certs will use the CSR Subject/SAN rather than the submitting machine's AD DNS identity. RRAS UserAuthProtocolAccepted now includes Certificate (added 2026-05-11).
- **OneDrive KFM on WSE folder-redirected profiles.** Machines formerly managed by Windows Server Essentials had WSE-specific non-standard GUID variants in User Shell Folders (different from standard Known Folder GUIDs). Direct HKU writes alone do not clear the shell's internal known folder policy state — `SHSetKnownFolderPath` must be called with `flags=0` (not 0x4000) in user session context. If KFM still fails after registry cleanup, wipe the profile and redeploy with per-machine OneDrive (`/allusers`).
- **pst-admin vs sysadmin distinction.** `pst-admin` is a domain user (in WseRemoteAccessUsers, VPN-eligible). `sysadmin` is domain admin. Many early session failures were caused by using pst-admin credentials for domain admin operations.