Mike Swanson
ba2ed379f8
Comprehensive infrastructure improvements for AD2 (Domain Controller) remote management and NAS sync system modernization. ## AD2 Remote Access Enhancements **WinRM Configuration:** - Enabled PowerShell Remoting (port 5985) with full logging - Configured TrustedHosts for LAN/VPN access (172.16.*, 192.168.*, 10.*) - Created read-only service account (ClaudeTools-ReadOnly) for safe automation - Set up transcript logging for all remote sessions - Deployed 6 automation scripts to C:\ClaudeTools\Scripts\ (AD user/computer reports, GPO status, replication health, log rotation) **SSH Access:** - Installed OpenSSH Server (v10.0p2) - Generated ED25519 key for passwordless authentication - Configured SSH key authentication for sysadmin account **Benefits:** - Efficient remote operations via persistent WinRM sessions (vs individual SSH commands) - Secure read-only access for queries (no admin rights needed) - Comprehensive audit trail of all remote operations ## Sync System Modernization (AD2 <-> NAS) **Replaced PuTTY with OpenSSH:** - Migrated from pscp.exe/plink.exe to native OpenSSH scp/ssh tools - Added verbose logging (-v flag) for detailed error diagnostics - Implemented auto host-key acceptance (StrictHostKeyChecking=accept-new) - Enhanced error logging to capture actual SCP failure reasons **Problem Solved:** - Original sync errors (738 failures) had no root cause details - PuTTY's batch mode silently failed without error messages - New OpenSSH implementation logs full error output to sync-from-nas.log **Scripts Created:** - setup-openssh-sync.ps1: SSH key generation and NAS configuration - check-openssh-client.ps1: Verify OpenSSH availability - restore-and-fix-sync.ps1: Update Sync-FromNAS.ps1 to use OpenSSH - investigate-sync-errors.ps1: Analyze sync failures with context - test-winrm.ps1: WinRM connection testing (admin + service accounts) - demo-ad2-automation.ps1: WinRM automation examples (AD stats, sync status) ## DOS Batch File Line Ending Fixes **Problem:** All DOS batch files had Unix (LF) line endings instead of DOS (CRLF), causing parsing errors on DOS 6.22 machines. **Fixed:** - Local: 13 batch files converted to CRLF - Remote (AD2): 492 batch files scanned, 10 converted to CRLF - Affected files: DEPLOY.BAT, NWTOC.BAT, CTONW.BAT, UPDATE.BAT, STAGE.BAT, CHECKUPD.BAT, REBOOT.BAT, and station-specific batch files **Scripts Created:** - check-dos-line-endings.ps1: Scan and detect LF vs CRLF - convert-to-dos.ps1: Bulk conversion to DOS format - fix-ad2-dos-files.ps1: Remote conversion via WinRM ## Credentials & Documentation Updates **credentials.md additions:** - Peaceful Spirit VPN configuration (L2TP/IPSec) - AD2 WinRM/SSH access details (both admin and service accounts) - SSH keys and known_hosts configuration - Complete WinRM connection examples **Files Modified:** - credentials.md: +91 lines (VPN, AD2 automation access) - CTONW.BAT, NWTOC.BAT, REBOOT.BAT, STAGE.BAT: Line ending fixes - Infrastructure configs: vpn-connect.bat, vpn-disconnect.bat (CRLF) ## Test Results **WinRM Automation (demo-ad2-automation.ps1):** - Retrieved 178 AD users (156 enabled, 22 disabled, 40 active) - Retrieved 67 AD computers (67 Windows, 6 servers, 53 active) - Checked Dataforth sync status (2,249 files pushed, 738 errors logged) - All operations completed in single remote session (efficient!) **Sync System:** - OpenSSH tools confirmed available on AD2 - Backup created: Sync-FromNAS.ps1.backup-20260119-140918 - Script updated with error logging and verbose output - Next sync run will reveal actual error causes ## Technical Decisions 1. **WinRM over SSH:** More efficient for PowerShell operations, better error handling, native Windows integration 2. **Service Account:** Follows least-privilege principle, safer for automated queries, easier audit trail 3. **OpenSSH over PuTTY:** Modern, maintained, native Windows tool, better error reporting, supports key authentication without external tools 4. **Verbose Logging:** Critical for debugging 738 sync errors - now we'll see actual SCP failure reasons (permissions, paths, network issues) ## Next Steps 1. Monitor next sync run (every 15 minutes) for detailed error messages 2. Analyze SCP error output to identify root cause of 738 failures 3. Implement SSH key authentication for NAS (passwordless) 4. Consider SFTP batch mode for more reliable transfers Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
152 lines
6.2 KiB
PowerShell
152 lines
6.2 KiB
PowerShell
# Setup OpenSSH-based sync for AD2 -> NAS transfers
|
|
# This replaces PuTTY (pscp/plink) with OpenSSH (scp/ssh)
|
|
|
|
$password = ConvertTo-SecureString "Paper123!@#" -AsPlainText -Force
|
|
$cred = New-Object System.Management.Automation.PSCredential("INTRANET\sysadmin", $password)
|
|
|
|
Write-Host "=== Setting Up OpenSSH Sync (AD2 -> NAS) ===" -ForegroundColor Cyan
|
|
Write-Host ""
|
|
|
|
Invoke-Command -ComputerName 192.168.0.6 -Credential $cred -ScriptBlock {
|
|
$NAS_IP = "192.168.0.9"
|
|
$NAS_USER = "root"
|
|
$SCRIPTS_DIR = "C:\Shares\test\scripts"
|
|
$SSH_DIR = "$SCRIPTS_DIR\.ssh"
|
|
$KNOWN_HOSTS = "$SSH_DIR\known_hosts"
|
|
|
|
Write-Host "[1] Creating SSH directory for sync keys" -ForegroundColor Yellow
|
|
Write-Host "=" * 80 -ForegroundColor Gray
|
|
|
|
if (-not (Test-Path $SSH_DIR)) {
|
|
New-Item -ItemType Directory -Path $SSH_DIR -Force | Out-Null
|
|
Write-Host "[OK] Created: $SSH_DIR" -ForegroundColor Green
|
|
} else {
|
|
Write-Host "[OK] Directory exists: $SSH_DIR" -ForegroundColor Green
|
|
}
|
|
|
|
# Set permissions (only SYSTEM and Administrators)
|
|
$acl = Get-Acl $SSH_DIR
|
|
$acl.SetAccessRuleProtection($true, $false)
|
|
$acl.Access | ForEach-Object { $acl.RemoveAccessRule($_) | Out-Null }
|
|
|
|
# Add SYSTEM
|
|
$systemRule = New-Object System.Security.AccessControl.FileSystemAccessRule(
|
|
"SYSTEM", "FullControl", "ContainerInherit,ObjectInherit", "None", "Allow"
|
|
)
|
|
$acl.AddAccessRule($systemRule)
|
|
|
|
# Add Administrators
|
|
$adminRule = New-Object System.Security.AccessControl.FileSystemAccessRule(
|
|
"Administrators", "FullControl", "ContainerInherit,ObjectInherit", "None", "Allow"
|
|
)
|
|
$acl.AddAccessRule($adminRule)
|
|
|
|
Set-Acl -Path $SSH_DIR -AclObject $acl
|
|
Write-Host "[OK] Set secure permissions on SSH directory" -ForegroundColor Green
|
|
Write-Host ""
|
|
|
|
Write-Host "[2] Generating SSH key for NAS sync (ED25519)" -ForegroundColor Yellow
|
|
Write-Host "=" * 80 -ForegroundColor Gray
|
|
|
|
$keyPath = "$SSH_DIR\id_ed25519_nas"
|
|
|
|
if (Test-Path $keyPath) {
|
|
Write-Host "[SKIP] Key already exists: $keyPath" -ForegroundColor Yellow
|
|
Write-Host " Using existing key" -ForegroundColor Gray
|
|
} else {
|
|
# Generate SSH key without passphrase
|
|
& "C:\Program Files\OpenSSH\ssh-keygen.exe" -t ed25519 -f $keyPath -N '""' -C "AD2-NAS-Sync"
|
|
|
|
if (Test-Path $keyPath) {
|
|
Write-Host "[OK] Generated SSH key: $keyPath" -ForegroundColor Green
|
|
} else {
|
|
Write-Host "[ERROR] Failed to generate SSH key" -ForegroundColor Red
|
|
return
|
|
}
|
|
}
|
|
|
|
# Read public key
|
|
$pubKey = Get-Content "$keyPath.pub"
|
|
Write-Host ""
|
|
Write-Host "Public key to add to NAS:" -ForegroundColor Cyan
|
|
Write-Host $pubKey -ForegroundColor White
|
|
Write-Host ""
|
|
|
|
Write-Host "[3] Adding NAS host key to known_hosts" -ForegroundColor Yellow
|
|
Write-Host "=" * 80 -ForegroundColor Gray
|
|
|
|
# Get NAS host key using ssh-keyscan
|
|
$nasHostKey = & "C:\Program Files\OpenSSH\ssh-keyscan.exe" -H $NAS_IP 2>$null
|
|
|
|
if ($nasHostKey) {
|
|
$nasHostKey | Out-File -FilePath $KNOWN_HOSTS -Encoding ASCII -Append
|
|
Write-Host "[OK] Added NAS host key to known_hosts" -ForegroundColor Green
|
|
} else {
|
|
Write-Host "[WARNING] Could not retrieve NAS host key" -ForegroundColor Yellow
|
|
Write-Host " Will use StrictHostKeyChecking=accept-new" -ForegroundColor Gray
|
|
}
|
|
Write-Host ""
|
|
|
|
Write-Host "[4] Testing SSH connection to NAS (with password first)" -ForegroundColor Yellow
|
|
Write-Host "=" * 80 -ForegroundColor Gray
|
|
Write-Host "Attempting to copy public key to NAS..." -ForegroundColor White
|
|
Write-Host ""
|
|
|
|
# Note: We need to manually add the public key to NAS /root/.ssh/authorized_keys
|
|
Write-Host "[ACTION REQUIRED] Add public key to NAS" -ForegroundColor Yellow
|
|
Write-Host "=" * 80 -ForegroundColor Gray
|
|
Write-Host ""
|
|
Write-Host "Run this on the NAS (192.168.0.9) as root:" -ForegroundColor Cyan
|
|
Write-Host ""
|
|
Write-Host "mkdir -p ~/.ssh" -ForegroundColor White
|
|
Write-Host "chmod 700 ~/.ssh" -ForegroundColor White
|
|
Write-Host "echo '$pubKey' >> ~/.ssh/authorized_keys" -ForegroundColor White
|
|
Write-Host "chmod 600 ~/.ssh/authorized_keys" -ForegroundColor White
|
|
Write-Host ""
|
|
Write-Host "Or from AD2 (requires NAS password):" -ForegroundColor Cyan
|
|
Write-Host "ssh root@$NAS_IP 'mkdir -p ~/.ssh && chmod 700 ~/.ssh'" -ForegroundColor White
|
|
Write-Host "ssh root@$NAS_IP 'echo `"$pubKey`" >> ~/.ssh/authorized_keys'" -ForegroundColor White
|
|
Write-Host "ssh root@$NAS_IP 'chmod 600 ~/.ssh/authorized_keys'" -ForegroundColor White
|
|
Write-Host ""
|
|
|
|
Write-Host "[5] Backing up current sync script" -ForegroundColor Yellow
|
|
Write-Host "=" * 80 -ForegroundColor Gray
|
|
|
|
$scriptPath = "$SCRIPTS_DIR\Sync-FromNAS.ps1"
|
|
$backupPath = "$SCRIPTS_DIR\Sync-FromNAS.ps1.backup-$(Get-Date -Format 'yyyyMMdd-HHmmss')"
|
|
|
|
if (Test-Path $scriptPath) {
|
|
Copy-Item -Path $scriptPath -Destination $backupPath -Force
|
|
Write-Host "[OK] Backup created: $backupPath" -ForegroundColor Green
|
|
} else {
|
|
Write-Host "[WARNING] Original script not found: $scriptPath" -ForegroundColor Yellow
|
|
}
|
|
Write-Host ""
|
|
|
|
Write-Host "[6] Configuration Summary" -ForegroundColor Yellow
|
|
Write-Host "=" * 80 -ForegroundColor Gray
|
|
Write-Host "SSH Directory: $SSH_DIR" -ForegroundColor White
|
|
Write-Host "Private Key: $keyPath" -ForegroundColor White
|
|
Write-Host "Public Key: $keyPath.pub" -ForegroundColor White
|
|
Write-Host "Known Hosts: $KNOWN_HOSTS" -ForegroundColor White
|
|
Write-Host "NAS IP: $NAS_IP" -ForegroundColor White
|
|
Write-Host "NAS User: $NAS_USER" -ForegroundColor White
|
|
Write-Host ""
|
|
|
|
# Return the public key for NAS setup
|
|
return @{
|
|
PublicKey = $pubKey
|
|
KeyPath = $keyPath
|
|
KnownHosts = $KNOWN_HOSTS
|
|
}
|
|
}
|
|
|
|
Write-Host ""
|
|
Write-Host "=== Setup Phase 1 Complete ===" -ForegroundColor Cyan
|
|
Write-Host ""
|
|
Write-Host "Next steps:" -ForegroundColor Yellow
|
|
Write-Host "1. Add the public key to NAS (shown above)" -ForegroundColor White
|
|
Write-Host "2. Test SSH key authentication" -ForegroundColor White
|
|
Write-Host "3. Update Sync-FromNAS.ps1 to use OpenSSH" -ForegroundColor White
|
|
Write-Host ""
|