Compare commits
2 Commits
db3edfdb82
...
b7bc3f4d25
| Author | SHA1 | Date | |
|---|---|---|---|
| b7bc3f4d25 | |||
| 6e5a389539 |
@@ -139,3 +139,4 @@
|
||||
- [IX WHM API access = 'ClaudeTools' token, not password](ix-whm-dns-api-access.md) — IX cPanel/WHM (ix.azcomputerguru.com:2087) DNS + all API work uses the FULL-ACCESS-root WHM API token at vault `infrastructure/ix-server` `credentials.whm-api-token` via header `Authorization: whm root:<token>` (force curl -4). Password basic-auth on legacy json-api now 403s. Public NS ns1/ns2.acghosting.com = 52.52.94.202.
|
||||
- [Vault EVERY credential surfaced in-session](feedback-vault-every-credential.md) — any cred (pasted/created/discovered) -> store via the vault skill + document purpose & exact usage immediately; it's a standing job rule (reinforced in CORE CLAUDE.md). Lost IX creds wasted ~1h on 2026-06-12.
|
||||
- [GuruRMM install-report v1: reuse endpoint + failed-install agent](gururmm-install-report-failed-agent-v1.md) — legacy NSIS installer reuses /api/install-report (machine info + logs, success+fail); server upserts a visible "failed-install" device on failure reports (Mike: in v1); verify-connect-before-success; trend/near-fail analytics. Server side is a separate sequential SPEC after the legacy-agent branch lands.
|
||||
- [DM wrapping commands to Mike in Discord](feedback_dm_wrapping_commands_to_mike.md) — long/wrapping one-liners go via Discord DM (code block copies clean), not just chat; bot token vault projects/discord-bot/bot-token, Mike uid 264814939619721216, MUST set User-Agent header or Cloudflare 403 errcode 1010; helper .claude/tmp/discord-dm.py
|
||||
|
||||
29
.claude/memory/feedback_dm_wrapping_commands_to_mike.md
Normal file
29
.claude/memory/feedback_dm_wrapping_commands_to_mike.md
Normal file
@@ -0,0 +1,29 @@
|
||||
---
|
||||
name: feedback_dm_wrapping_commands_to_mike
|
||||
description: When a command/snippet you want Mike to run is long enough to wrap in the terminal, DM it to him in Discord (code block copies cleanly) instead of only putting it in chat.
|
||||
metadata:
|
||||
type: feedback
|
||||
---
|
||||
|
||||
Mike (2026-06-13): "For any command that wraps (like this one) DM me in discord, the
|
||||
line breaks suck." Terminal line-wrapping mangles long one-liners when he copies them.
|
||||
|
||||
**How to apply:** When you produce a command/code block for Mike to run that would wrap
|
||||
in the terminal (long one-liners, multi-flag commands), send it to him via Discord DM as a
|
||||
```fenced code block``` (Discord copies the whole line cleanly regardless of visual wrap),
|
||||
and just reference it in chat ("DM'd you the command"). Short, non-wrapping commands can
|
||||
stay inline.
|
||||
|
||||
**Mechanics (verified working 2026-06-13):**
|
||||
- Bot token: vault `projects/discord-bot/bot-token.sops.yaml` field `credentials.bot_token`.
|
||||
- Mike's Discord user id: `264814939619721216` (Howard: `624667664501178379`).
|
||||
- **MUST set a `User-Agent` header** like `DiscordBot (https://azcomputerguru.com, 1.0)` --
|
||||
Discord's API is behind Cloudflare, which returns **403 error 1010** for the default
|
||||
urllib/curl UA. This is the #1 gotcha; both DM-open and message-send fail without it.
|
||||
- Open a DM channel: `POST https://discord.com/api/v10/users/@me/channels {"recipient_id":<uid>}`
|
||||
-> returns channel id; then `POST /channels/<id>/messages {"content": "..."}`.
|
||||
- Reusable helper written this session: `.claude/tmp/discord-dm.py` (reads body from a file
|
||||
or stdin; `BOT_TOKEN` from env). The bot CAN initiate DMs to Mike (mutual guild
|
||||
624663750603046913); the earlier 403 was the missing UA, not a privacy block.
|
||||
|
||||
Related: [[reference_resource_map]] (Discord bot), the `discord-bot` project.
|
||||
17
.tmp-xen-snapvdi.py
Normal file
17
.tmp-xen-snapvdi.py
Normal file
@@ -0,0 +1,17 @@
|
||||
import os, paramiko
|
||||
host="192.168.0.104"; user="root"; pw=os.environ["XEN_PW"]
|
||||
c=paramiko.SSHClient(); c.set_missing_host_key_policy(paramiko.AutoAddPolicy())
|
||||
c.connect(host, username=user, password=pw, timeout=20,
|
||||
disabled_algorithms={'pubkeys': ['rsa-sha2-256','rsa-sha2-512']},
|
||||
look_for_keys=False, allow_agent=False)
|
||||
def run(cmd):
|
||||
i,o,e=c.exec_command(cmd,timeout=120); return (o.read().decode(errors="replace")+e.read().decode(errors="replace")).strip()
|
||||
g_vdi="828ea0ff-04c7-4f7c-9e4d-baa9e15d72bd" # G: = "2003 Disk 2" xvdb
|
||||
print("=== snapshotting G: VDI for consistent export ===")
|
||||
snap=run(f'xe vdi-snapshot uuid={g_vdi}')
|
||||
print("snapshot VDI uuid:", snap)
|
||||
print("=== snapshot details ===")
|
||||
print(run(f"xe vdi-param-list uuid={snap} | grep -iE 'uuid \\(|name-label|virtual-size|is-a-snapshot|sr-name-label'"))
|
||||
print("=== dom0 free space (confirm we must stream, not stage locally) ===")
|
||||
print(run("df -h / /var/tmp 2>/dev/null | head"))
|
||||
c.close()
|
||||
@@ -0,0 +1,117 @@
|
||||
## User
|
||||
- **User:** Mike Swanson (mike)
|
||||
- **Machine:** GURU-5070
|
||||
- **Role:** admin
|
||||
|
||||
## Session Summary
|
||||
|
||||
Disabled two RMM-agent deployment GPOs in the Valley Wide Plastering (VWP) Active Directory
|
||||
domain. The session began with a quick credential question (Gemini API key — none exists; the
|
||||
`agy`/Gemini CLI integration is keyless via Google OAuth), then moved to the primary task on the
|
||||
VWP domain controllers.
|
||||
|
||||
Loaded VWP context from `wiki/clients/valleywide.md` and the vault. Confirmed the live AD domain
|
||||
is `VWP.US` (NetBIOS `VWP`, PDC = `VWP-DC1.VWP.US`) — correcting the wiki's `vwp.local` reference,
|
||||
which is not the actual AD DNS root. Both DCs were reachable over the already-connected VPN:
|
||||
VWP_ADSRVR (192.168.0.25) and VWP-DC1 (172.16.9.2). Used VWP_ADSRVR as the entry point because it
|
||||
has working ed25519 SSH key auth for `vwp\guru`.
|
||||
|
||||
Enumerated all domain GPOs and located the target: a GPO named `Syncro`
|
||||
(`{F6C27AA4-4A8B-4AA0-B5B9-B0DD47ECF6CA}`), a machine-assigned software-installation policy that
|
||||
deploys the Syncro agent MSI, linked at the domain root (applies to all domain computers) and
|
||||
fully enabled. After confirming method with the user, disabled it (set GpoStatus to
|
||||
AllSettingsDisabled). The user then requested the same for the second RMM GPO — `Datto RMM Agent
|
||||
install by immediate scheduled task` (`{9795454E-4C25-4B3F-8655-9DF5F46054FF}`), also linked at
|
||||
the domain root — which was likewise disabled. Both are confirmed `flags=3` on ADSRVR. This looks
|
||||
like a Syncro→Datto migration cleanup, but both deployment mechanisms were disabled per the user's
|
||||
instruction.
|
||||
|
||||
## Key Decisions
|
||||
|
||||
- **Disabled via LDAP `Set-ADObject` (`flags=3`) rather than `Set-GPO`/GPMC.** `Get-GPO`/`Set-GPO`
|
||||
failed with `0x80072020` over SSH — the GPMC COM layer needs to bind to SYSVOL over SMB, and the
|
||||
key-based SSH logon has no delegatable credentials (classic double-hop). Pure-LDAP cmdlets
|
||||
(`Get-ADDomain`, `Get-ADObject`, `Set-ADObject`) work because they bind directly to the local
|
||||
DC. Setting the GPC `flags` attribute to `3` is exactly equivalent to
|
||||
`Set-GPO -Status AllSettingsDisabled`.
|
||||
- **Chose AllSettingsDisabled over unlinking.** Disables the GPO wherever linked, is fully
|
||||
reversible (set `flags` back to `0`), and is a single object change. Both GPOs are only linked at
|
||||
the domain root today, so the effect is identical to disabling the link.
|
||||
- **Left the GPOs linked and present (not deleted/unlinked).** Reversible and non-destructive.
|
||||
- **Did not attempt to uninstall existing agents.** Disabling a deployment GPO stops future
|
||||
installs/reinstalls but does not remove agents already present — flagged to the user as a
|
||||
separate task.
|
||||
|
||||
## Problems Encountered
|
||||
|
||||
- **`Get-GPO -All` → `0x80072020` (operations error) over SSH.** Cause: GPMC COM double-hop (no
|
||||
delegatable creds on the SSH key logon). Resolution: enumerated GPOs and read/wrote status via
|
||||
LDAP cmdlets instead, and read GPO contents from the local SYSVOL path on the DC.
|
||||
- **Cross-DC verification via `-Server VWP-DC1.VWP.US` failed** ("Unable to contact the server …
|
||||
AD Web Services"). Cause: ADWS on the remote DC not answering from the SSH session context
|
||||
(ADWS/double-hop). Not a write failure — the writes committed locally on ADSRVR and will
|
||||
replicate via normal AD replication. Verified `flags=3` on ADSRVR for both GPOs.
|
||||
|
||||
## Configuration Changes
|
||||
|
||||
AD directory changes on domain `VWP.US` (no repo files changed for the VWP work):
|
||||
- GPO `Syncro` `{F6C27AA4-4A8B-4AA0-B5B9-B0DD47ECF6CA}`: `flags` 0 → 3 (AllSettingsDisabled).
|
||||
- GPO `Datto RMM Agent install by immediate scheduled task` `{9795454E-4C25-4B3F-8655-9DF5F46054FF}`:
|
||||
`flags` 0 → 3 (AllSettingsDisabled).
|
||||
|
||||
Repo:
|
||||
- Created this session log.
|
||||
|
||||
## Credentials & Secrets
|
||||
|
||||
No new credentials discovered or created. Used existing vaulted access:
|
||||
- `clients/vwp/adsrvr` — SSH key auth `vwp\guru` (ed25519); domain admin `vwp\sysadmin`.
|
||||
- Gemini API key: confirmed **none exists** — `agy`/Gemini CLI is keyless (Google OAuth,
|
||||
`~/.gemini/oauth_creds.json`).
|
||||
|
||||
## Infrastructure & Servers
|
||||
|
||||
- **AD domain:** `VWP.US` (NetBIOS `VWP`). PDC emulator: `VWP-DC1.VWP.US`.
|
||||
- Note: wiki says `vwp.local`; the actual AD DNS root is `VWP.US`. SYSVOL path:
|
||||
`C:\Windows\SYSVOL\sysvol\vwp.us\Policies\{GUID}`.
|
||||
- **VWP_ADSRVR** — 192.168.0.25, DC + SSH entry point, Server 2019. SSH ed25519 key auth for
|
||||
`vwp\guru`. Default shell cmd.exe — wrap with `powershell -NoProfile -Command`.
|
||||
- **VWP-DC1** — 172.16.9.2, PDC emulator, NPS/RADIUS, `VWP-DC1.VWP.US`.
|
||||
- Both reachable over VPN this session.
|
||||
|
||||
## Commands & Outputs
|
||||
|
||||
- Domain identity: `Get-ADDomain` → `DNSRoot=VWP.US NetBIOS=VWP PDC=VWP-DC1.VWP.US`.
|
||||
- Enumerate GPOs (LDAP, avoids GPMC double-hop):
|
||||
`Get-ADObject -Filter { objectClass -eq 'groupPolicyContainer' } -Properties displayName,gPCFileSysPath,flags`
|
||||
- Find links: `Get-ADObject -LDAPFilter "(gPLink=*<guid>*)" -SearchBase <domainDN>` →
|
||||
both target GPOs linked at `DC=VWP,DC=US` (domain root, `;0` = enabled, not enforced).
|
||||
- Syncro GPO contents (local SYSVOL): `Machine\Applications\{B2B45EC0-548F-4187-9065-E4575A652ACD}.aas`
|
||||
→ machine-assigned software installation (MSI deploy).
|
||||
- Disable: `Set-ADObject -Identity "CN={<guid>},CN=Policies,CN=System,DC=VWP,DC=US" -Replace @{flags=3}`
|
||||
→ verified `flags=3` for both on ADSRVR.
|
||||
- `Get-GPO -All` → `0x80072020` (double-hop; use LDAP path instead).
|
||||
|
||||
## Pending / Incomplete Tasks
|
||||
|
||||
- **Existing RMM agents not removed.** Disabling the GPOs stops deployment/reinstall only. If the
|
||||
intent is full Syncro removal (and/or Datto), uninstall existing agents separately (managed
|
||||
uninstall, or removal via the RMM platform). Awaiting user direction.
|
||||
- **Wiki correction:** update `wiki/clients/valleywide.md` to reflect the AD DNS root is `VWP.US`,
|
||||
not `vwp.local` (vwp.us is the live AD domain, not just an external FQDN domain).
|
||||
- **Replication spot-check:** ADWS on VWP-DC1 not reachable from the SSH session; confirm the
|
||||
`flags=3` change replicated to DC1 on a future visit if desired (normal replication expected).
|
||||
- **Next project (this session):** Peaceful Spirit AD + DFS investigation and setup (started a few
|
||||
days ago) — resuming after this save.
|
||||
|
||||
## Reference Information
|
||||
|
||||
- Syncro GPO GUID: `{F6C27AA4-4A8B-4AA0-B5B9-B0DD47ECF6CA}`
|
||||
- Datto RMM GPO GUID: `{9795454E-4C25-4B3F-8655-9DF5F46054FF}`
|
||||
- Other domain-root GPOs observed (untouched): `Default Domain Policy`
|
||||
`{31B2F340-016D-11D2-945F-00C04FB984F9}`, `Enable SMB1 Client`
|
||||
`{22068DEC-5E9A-4539-B8C5-2C08F2DD9AE0}`, `MappedDrives`
|
||||
`{7D1AAC5B-2E39-4D6C-9248-AEC511E2A86D}`, `Default Domain Controllers Policy`
|
||||
`{6AC1786C-016F-11D2-945F-00C04FB984F9}`.
|
||||
- Vault: `clients/vwp/adsrvr`, `clients/vwp/dc1`.
|
||||
- Wiki: `wiki/clients/valleywide.md`.
|
||||
@@ -0,0 +1,89 @@
|
||||
# Session 2026-06-13 — GuruRMM legacy native-SCM MSRV probe + SMB1 client enable
|
||||
|
||||
## User
|
||||
- **User:** Mike Swanson (mike)
|
||||
- **Machine:** GURU-5070
|
||||
- **Role:** admin
|
||||
|
||||
## Summary
|
||||
Two threads:
|
||||
1. **GuruRMM legacy 32-bit installer decision (due-today item).** Investigated whether the
|
||||
legacy tier can adopt native SCM (the multi-AI recommendation in `installer/legacy/README.md`
|
||||
/ SPEC-029 §12), which was documented as blocked on a Rust-1.77 / i686 MSRV check for the
|
||||
`windows-service` crate. **Result: GREEN, end-to-end.** The MSRV wall does not exist, and the
|
||||
`legacy` and `native-service` Cargo features are orthogonal (TLS gates on `legacy` alone).
|
||||
2. **SMB1 client enable** on this Win11 box to reach `192.168.0.20` over the VWP VPN. Staged;
|
||||
reboot pending.
|
||||
|
||||
## Thread 1 — GuruRMM legacy native-SCM (GREEN)
|
||||
|
||||
### Findings
|
||||
- **Isolated MSRV probe** (throwaway crate, `windows-service = "0.7"` + `windows = "0.58"` with
|
||||
the agent's exact feature set): compiles clean on Rust 1.77 -> `i686-pc-windows-msvc`. Run on
|
||||
Beast (`guru@100.101.122.4`). Resolved to 1.77-safe versions (windows-sys 0.52.0,
|
||||
windows-targets 0.52.6). GURU-5070 itself has NO MSVC build tools, so the probe was run on Beast.
|
||||
- **README premise was wrong on two counts:** (a) the crates DO build on 1.77/i686; (b) the legacy
|
||||
rustls TLS-1.2 path gates on the `legacy` feature ONLY (`agent/src/transport/tls.rs` header says
|
||||
so) — NOT on the absence of `native-service`. So `--features legacy,native-service` gives both
|
||||
Win7 rustls TLS 1.2 AND native SCM. The `legacy` feature is purely additive
|
||||
(rustls/webpki/zeroize); zero overlap with `native-service` (`agent/Cargo.toml`).
|
||||
- **End-to-end build (the confirmation Mike approved):** real agent crate,
|
||||
`cargo +1.77 build --ignore-rust-version --release --no-default-features --features legacy,native-service
|
||||
--target i686-pc-windows-msvc`, built in an **isolated git worktree** on Beast
|
||||
(`C:\Temp\gururmm-nsvc`, detached at `fad54ed`) with a separate target dir
|
||||
(`C:\Temp\gururmm-nsvc-target`), lock moved aside so 1.77 re-resolves scoped to the feature set
|
||||
(mirrors the pipeline's legacy wave). **Full-graph lock resolution SUCCEEDED** (the edition-2024
|
||||
transitive-dep fear did not materialize). Built in 2m39s, exit 0, 17 warnings (incl. the
|
||||
already-tracked unused `TrayLauncher::terminate_all`).
|
||||
|
||||
### Artifact
|
||||
- **Path (GURU-5070):** `C:\Users\guru\Downloads\gururmm-agent-legacy-nativeSCM-x86-0.6.66.exe`
|
||||
- **SHA256:** `b0a25e17401c4c16a1334a65c75c6fde7a2ac26d1b60a8cfbca8d13b65e891d3`
|
||||
- Confirmed 32-bit PE (machine `0x014C`), 5.29 MB. **Unsigned** (isolated build — not via pipeline).
|
||||
- Compiled-in endpoints (production): `wss://rmm-api.azcomputerguru.com/ws` /
|
||||
`https://rmm-api.azcomputerguru.com`. Will enroll as a real device.
|
||||
|
||||
### Enrollment gotcha (traced for the Valleywide test)
|
||||
- Native `install()` (`agent/src/service.rs:476`) writes the input into `agent.toml`'s `api_key`;
|
||||
it does NOT set registry `SiteId`. The runtime resolver `resolve_windows_config()`
|
||||
(`agent/src/main.rs`) only ENROLLS when `HKLM\SOFTWARE\GuruRMM\SiteId` is set (enrolls via
|
||||
`/api/enroll` with the site UUID; a friendly code 422s). With only a TOML `api_key` it uses the
|
||||
value verbatim and the server rejects a site code.
|
||||
- **Bulletproof test procedure (elevated):**
|
||||
1. `reg add HKLM\SOFTWARE\GuruRMM /v SiteId /t REG_SZ /d <VALLEYWIDE-SITE-UUID> /f` (UUID, not code; FIRST)
|
||||
2. `gururmm-agent-...exe install --api-key <UUID> --skip-legacy-check`
|
||||
3. `gururmm-agent-...exe start` (service name `GuruRMMAgent`, install dir `C:\Program Files\GuruRMM`)
|
||||
- Verify: `sc query GuruRMMAgent` = RUNNING (real SCM, no NSSM); `reg query HKLM\SOFTWARE\GuruRMM /v AgentKey`
|
||||
appears within ~120s (enrolled over rustls TLS 1.2); device online in dashboard.
|
||||
- Teardown: `gururmm-agent-...exe uninstall`.
|
||||
|
||||
### Beast cleanup pending
|
||||
- Leftover on Beast: `C:\Temp\gururmm-nsvc` (git worktree — remove with
|
||||
`git -C C:\gururmm worktree remove --force C:\Temp\gururmm-nsvc`) and `C:\Temp\gururmm-nsvc-target`,
|
||||
`C:\Temp\nsvc-build.bat`, `C:\Temp\nsvc-build.log`. Left in place in case signing/rebuild needed.
|
||||
|
||||
### Next
|
||||
- Mike validates the binary on a Valleywide machine. On runtime-PASS, correct the SPEC-029 §12 /
|
||||
`installer/legacy/README.md` "blocked / ship NSIS+NSSM" note and pursue the unified x86-MSI +
|
||||
native-SCM direction (drops NSIS + NSSM). Optional: sign the test exe via `sign-windows.sh`.
|
||||
|
||||
## Thread 2 — SMB1 client enable (GURU-5070, Win11)
|
||||
- Goal: reach `192.168.0.20` over VWP VPN (Tailscale off). Both SMB ports reachable (TCP 445 + 139
|
||||
open; ICMP blocked, normal). No per-connection SMB1 switch exists — must install the SMB1 client
|
||||
optional feature.
|
||||
- **Done:** `SMB1Protocol` (parent) + `SMB1Protocol-Client` ENABLED; `SMB1Protocol-Server` left
|
||||
DISABLED (client-only). Payload was present (state was `Disabled`, not payload-removed).
|
||||
- **Reboot REQUIRED** — `mrxsmb10` driver registers only on restart. (This /scc ends with a reboot.)
|
||||
- After reboot: reconnect VWP VPN; `net use \\192.168.0.20\<share> ...`; verify with
|
||||
`Get-SmbConnection` Dialect = 1.5.
|
||||
- **Caveat:** `EnableInsecureGuestLogons` = False. If `.20` is a guest/NAS share, also need
|
||||
`Set-SmbClientConfiguration -EnableInsecureGuestLogons $true`.
|
||||
- **REVERT when done (security):** disable `SMB1Protocol-Client` + parent (+ insecure-guest if set),
|
||||
reboot to unload driver. SMB1 = EternalBlue-class exposure; do not leave on.
|
||||
|
||||
## Pending tasks
|
||||
- [ ] Mike: validate native-SCM legacy agent on a Valleywide machine (artifact + procedure above).
|
||||
- [ ] On PASS: correct SPEC-029 §12 / legacy README; pursue unified x86-MSI + native-SCM.
|
||||
- [ ] Clean up Beast `C:\Temp\gururmm-nsvc*` worktree/target/bat/log.
|
||||
- [ ] After SMB1 task: revert SMB1 client enable on GURU-5070 + reboot.
|
||||
- [ ] Other due-today item still open: SPEC-030 Phase 1 (failed-install visibility) — not started.
|
||||
Reference in New Issue
Block a user