azcomputerguru/claudetools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
ba2ed379f80b220b0637da07f36648e49a071c94
claudetools/credentials.md
Mike Swanson ba2ed379f8 feat: Add AD2 WinRM automation and modernize sync infrastructure 
Comprehensive infrastructure improvements for AD2 (Domain Controller) remote
management and NAS sync system modernization.

## AD2 Remote Access Enhancements

**WinRM Configuration:**
- Enabled PowerShell Remoting (port 5985) with full logging
- Configured TrustedHosts for LAN/VPN access (172.16.*, 192.168.*, 10.*)
- Created read-only service account (ClaudeTools-ReadOnly) for safe automation
- Set up transcript logging for all remote sessions
- Deployed 6 automation scripts to C:\ClaudeTools\Scripts\ (AD user/computer
  reports, GPO status, replication health, log rotation)

**SSH Access:**
- Installed OpenSSH Server (v10.0p2)
- Generated ED25519 key for passwordless authentication
- Configured SSH key authentication for sysadmin account

**Benefits:**
- Efficient remote operations via persistent WinRM sessions (vs individual SSH commands)
- Secure read-only access for queries (no admin rights needed)
- Comprehensive audit trail of all remote operations

## Sync System Modernization (AD2 <-> NAS)

**Replaced PuTTY with OpenSSH:**
- Migrated from pscp.exe/plink.exe to native OpenSSH scp/ssh tools
- Added verbose logging (-v flag) for detailed error diagnostics
- Implemented auto host-key acceptance (StrictHostKeyChecking=accept-new)
- Enhanced error logging to capture actual SCP failure reasons

**Problem Solved:**
- Original sync errors (738 failures) had no root cause details
- PuTTY's batch mode silently failed without error messages
- New OpenSSH implementation logs full error output to sync-from-nas.log

**Scripts Created:**
- setup-openssh-sync.ps1: SSH key generation and NAS configuration
- check-openssh-client.ps1: Verify OpenSSH availability
- restore-and-fix-sync.ps1: Update Sync-FromNAS.ps1 to use OpenSSH
- investigate-sync-errors.ps1: Analyze sync failures with context
- test-winrm.ps1: WinRM connection testing (admin + service accounts)
- demo-ad2-automation.ps1: WinRM automation examples (AD stats, sync status)

## DOS Batch File Line Ending Fixes

**Problem:** All DOS batch files had Unix (LF) line endings instead of DOS (CRLF),
causing parsing errors on DOS 6.22 machines.

**Fixed:**
- Local: 13 batch files converted to CRLF
- Remote (AD2): 492 batch files scanned, 10 converted to CRLF
- Affected files: DEPLOY.BAT, NWTOC.BAT, CTONW.BAT, UPDATE.BAT, STAGE.BAT,
  CHECKUPD.BAT, REBOOT.BAT, and station-specific batch files

**Scripts Created:**
- check-dos-line-endings.ps1: Scan and detect LF vs CRLF
- convert-to-dos.ps1: Bulk conversion to DOS format
- fix-ad2-dos-files.ps1: Remote conversion via WinRM

## Credentials & Documentation Updates

**credentials.md additions:**
- Peaceful Spirit VPN configuration (L2TP/IPSec)
- AD2 WinRM/SSH access details (both admin and service accounts)
- SSH keys and known_hosts configuration
- Complete WinRM connection examples

**Files Modified:**
- credentials.md: +91 lines (VPN, AD2 automation access)
- CTONW.BAT, NWTOC.BAT, REBOOT.BAT, STAGE.BAT: Line ending fixes
- Infrastructure configs: vpn-connect.bat, vpn-disconnect.bat (CRLF)

## Test Results

**WinRM Automation (demo-ad2-automation.ps1):**
- Retrieved 178 AD users (156 enabled, 22 disabled, 40 active)
- Retrieved 67 AD computers (67 Windows, 6 servers, 53 active)
- Checked Dataforth sync status (2,249 files pushed, 738 errors logged)
- All operations completed in single remote session (efficient!)

**Sync System:**
- OpenSSH tools confirmed available on AD2
- Backup created: Sync-FromNAS.ps1.backup-20260119-140918
- Script updated with error logging and verbose output
- Next sync run will reveal actual error causes

## Technical Decisions

1. **WinRM over SSH:** More efficient for PowerShell operations, better error
   handling, native Windows integration
2. **Service Account:** Follows least-privilege principle, safer for automated
   queries, easier audit trail
3. **OpenSSH over PuTTY:** Modern, maintained, native Windows tool, better error
   reporting, supports key authentication without external tools
4. **Verbose Logging:** Critical for debugging 738 sync errors - now we'll see
   actual SCP failure reasons (permissions, paths, network issues)

## Next Steps

1. Monitor next sync run (every 15 minutes) for detailed error messages
2. Analyze SCP error output to identify root cause of 738 failures
3. Implement SSH key authentication for NAS (passwordless)
4. Consider SFTP batch mode for more reliable transfers

Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
2026-01-19 14:28:24 -07:00

12 KiB
Raw Blame History

Credentials & Authorization Reference

Last Updated: 2026-01-19 Purpose: Centralized credentials for Claude Code context recovery Project: ClaudeTools MSP Work Tracking System

Infrastructure - SSH Access

GuruRMM Server (172.16.3.30)

  • Host: 172.16.3.30
  • User: guru
  • SSH Port: 22
  • Role: Production server hosting ClaudeTools database and API
  • Services:
    • MariaDB 10.6.22 (Port 3306)
    • ClaudeTools API (Port 8001)
    • Nginx reverse proxy (Port 80/443)
  • Database:
    • Database: claudetools
    • User: claudetools
    • Password: CT_e8fcd5a3952030a79ed6debae6c954ed
  • Notes: Primary ClaudeTools infrastructure, systemd service auto-starts API

Jupiter (Unraid Primary - 172.16.3.20)

  • Host: 172.16.3.20
  • User: root
  • SSH Port: 22
  • Password: Th1nk3r^99##
  • Role: Primary container host, Gitea server
  • Services:
    • Gitea (Port 3000, SSH 2222)
    • Docker containers
  • Notes: Used for code repository management and version control

Dataforth Infrastructure

AD2 (Production Server - 192.168.0.6)

  • Host: 192.168.0.6
  • Domain: INTRANET
  • User: INTRANET\sysadmin
  • Password: Paper123!@#
  • OS: Windows Server 2022
  • Local Path: C:\Shares\test
  • Share Access: \192.168.0.6\C$ (admin share, requires credentials)
  • Role: Production server for Dataforth DOS machines
  • Services:
    • Active Directory Domain Controller
    • File Server (SMB3)
    • Scheduled sync task (Sync-FromNAS.ps1 every 15 min)
    • WinRM (PowerShell Remoting) on port 5985
    • OpenSSH Server on port 22
  • Network: 192.168.0.0/24
  • Automation Access:
    • Service Account: INTRANET\ClaudeTools-ReadOnly
    • Service Password: vG!UCAD>=#gIk}1A3=:{+DV3
    • Service UPN: ClaudeTools-ReadOnly@dataforth.local
    • Permissions: Read-only AD access, Remote Management Users group
    • Scripts Location: C:\ClaudeTools\Scripts\
    • Logs Location: C:\ClaudeTools\Logs\Transcripts\
  • SSH Key (sysadmin account):
    • Key Type: ED25519
    • Fingerprint: SHA256:JsiEDAJ/fD19d6W7B5iuV78f8dLKZbLTrMor7b9CXSQ
    • Public Key: ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHpk0bdronDasfx5RYjky4N4xIeUJF5xIJdX08rb3+Ui sysadmin@AD2-automation
    • Private Key Location: C:\Users\sysadmin.ssh\id_ed25519
  • WinRM Configuration:
    • TrustedHosts: 172.16.,192.168.,10.* (LAN/VPN access)
    • Listener: HTTP on port 5985
    • Transcript Logging: Enabled (all remote sessions logged)
    • Module Logging: Enabled
    • Script Block Logging: Enabled
  • Connection Method (SMB Share): 
    $pass = ConvertTo-SecureString 'Paper123!@#' -AsPlainText -Force
$cred = New-Object System.Management.Automation.PSCredential('INTRANET\sysadmin', $pass)
New-PSDrive -Name Z -PSProvider FileSystem -Root '\\192.168.0.6\C$' -Credential $cred
# Access: Z:\Shares\test\
  • Connection Method (WinRM - Admin): 
    $password = ConvertTo-SecureString 'Paper123!@#' -AsPlainText -Force
$cred = New-Object System.Management.Automation.PSCredential('INTRANET\sysadmin', $password)
Enter-PSSession -ComputerName 192.168.0.6 -Credential $cred
  • Connection Method (WinRM - Read-Only): 
    $password = ConvertTo-SecureString 'vG!UCAD>=#gIk}1A3=:{+DV3' -AsPlainText -Force
$cred = New-Object System.Management.Automation.PSCredential('INTRANET\ClaudeTools-ReadOnly', $password)
Enter-PSSession -ComputerName 192.168.0.6 -Credential $cred
  • Connection Method (SSH): 
    ssh INTRANET\\sysadmin@192.168.0.6
# Password: Paper123!@#
# Or with key: ssh -i path/to/id_ed25519 INTRANET\\sysadmin@192.168.0.6
  • Software Update Locations:
    • Common (all machines): C:\Shares\test\COMMON\ProdSW\ and C:\Shares\test_COMMON\ProdSW\
    • Station-specific: C:\Shares\test\TS-XX\ProdSW\
    • System files: C:\Shares\test\COMMON\DOS\
  • Notes:
    • SMB1 disabled for security (after crypto attack)
    • Sync mechanism moved from NAS to AD2 due to WINS crashes
    • Files sync to NAS within 15 minutes after placement
    • DOS machines pull from NAS (not directly from AD2)

D2TESTNAS (SMB1 Proxy - 192.168.0.9)

  • Host: 192.168.0.9
  • HTTP: http://192.168.0.9/
  • User (Web): admin
  • Password (Web): Paper123!@#-nas
  • SSH User: root
  • SSH Auth: ed25519 key (passwordless)
  • Role: SMB1 proxy/bridge for DOS 6.22 machines
  • OS: Linux (NAS appliance)
  • Share: \D2TESTNAS\test (maps to /data/test)
  • Services:
    • SMB1 server (for DOS machine compatibility)
    • SSH server (Port 22)
  • Notes:
    • Bridges DOS machines (SMB1) with AD2 (SMB3)
    • Previous sync location (moved to AD2)
    • Network path: /data/test/

Dataforth DOS Machines (TS-XX)

  • Network: 192.168.0.0/24
  • OS: MS-DOS 6.22
  • Count: ~30 machines for QC testing
  • Naming: TS-01 through TS-30
  • Network Share: T: drive (maps to \D2TESTNAS\test)
  • Machine Variable: %MACHINE% (set in AUTOEXEC.BAT)
  • Backup Location: T:%MACHINE%\BACKUP\
  • Update Path: T:\COMMON\
  • Credentials: None (local DOS machines)
  • Notes:
    • SMB1 protocol required
    • DOS 6.22 limitations: no %COMPUTERNAME%, no IF /I
    • Network stack: MS Client 3.0, Netware VLM client
    • Update workflow: AD2 → D2TESTNAS → DOS machines

AD2-NAS Sync System

  • Script: C:\Shares\test\scripts\Sync-FromNAS.ps1
  • Runs: Every 15 minutes (Windows Scheduled Task)
  • User: INTRANET\sysadmin
  • Direction: Bidirectional
  • Tools: PuTTY (plink.exe, pscp.exe)
  • Log: C:\Shares\test\scripts\sync-from-nas.log
  • Status: C:\Shares\test_SYNC_STATUS.txt (monitored by DattoRMM)
  • Last Verified: 2026-01-19 12:09 PM (running successfully)
  • PULL (NAS → AD2):
    • Test results: /data/test/TS-XX/LOGS/*.DAT → C:\Shares\test\TS-XX\LOGS\
    • Reports: /data/test/TS-XX/Reports/*.TXT → C:\Shares\test\TS-XX\Reports\
    • Files deleted from NAS after successful sync
    • DAT files imported to database automatically
  • PUSH (AD2 → NAS):
    • Common updates: C:\Shares\test\COMMON\ProdSW\ → /data/test/COMMON/ProdSW/
    • Station updates: C:\Shares\test\TS-XX\ProdSW\ → /data/test/TS-XX/ProdSW/
    • Root utility: C:\Shares\test\UPDATE.BAT → /data/test/UPDATE.BAT
    • One-shot tasks: C:\Shares\test\TS-XX\TODO.BAT → /data/test/TS-XX/TODO.BAT
  • Notes:
    • Moved from NAS to AD2 in January 2026
    • Reason: WINS crashes and SSH lockups on NAS
    • NAS script (/root/sync-to-ad2.sh) is DEPRECATED

Services - Web Applications

Gitea (Git Server)

ClaudeTools API (Production)

Projects - ClaudeTools

Database (MariaDB)

  • Host: 172.16.3.30
  • Port: 3306
  • Database: claudetools
  • User: claudetools
  • Password: CT_e8fcd5a3952030a79ed6debae6c954ed
  • Connection String: 
    mysql+pymysql://claudetools:CT_e8fcd5a3952030a79ed6debae6c954ed@172.16.3.30:3306/claudetools?charset=utf8mb4
  • Tables: 38 tables (fully migrated)
  • Encryption: AES-256-GCM for credentials table
  • Backup: Daily automated backups

API Authentication

  • Method: JWT tokens
  • Password Hashing: Argon2
  • Token Endpoint: POST /api/auth/token
  • Token Format: Bearer token in Authorization header
  • Example: 
    curl -X POST http://172.16.3.30:8001/api/auth/token \
  -H "Content-Type: application/x-www-form-urlencoded" \
  -d "username=test@example.com&password=testpassword123"

Encryption Keys

  • Method: AES-256-GCM (Fernet)
  • Key Storage: Environment variable ENCRYPTION_KEY
  • Usage: Credentials table password encryption
  • Notes: Never commit encryption key to git

Projects - Dataforth DOS

Update Workflow

  • Admin Deposits: \AD2\test\COMMON\ (on AD2)
  • Sync Mechanism: AD2 scheduled task (location TBD)
  • DOS Pull: T:\COMMON\ (from D2TESTNAS)
  • Backup Target: T:%MACHINE%\BACKUP\

Key Files

  • UPDATE.BAT: Machine backup utility (runs on DOS)
  • NWTOC.BAT: Network to Computer updates
  • CTONW.BAT: Computer to Network uploads
  • STAGE.BAT: System file staging for reboot
  • REBOOT.BAT: Auto-generated, applies staged updates
  • AUTOEXEC.BAT: DOS startup, sets %MACHINE% variable
  • CONFIG.SYS: DOS system configuration
  • STARTNET.BAT: Network stack initialization

Folder Structure

\\AD2\test\
├── COMMON\              # Shared updates for all machines
│   ├── DOS\            # System files (AUTOEXEC.NEW, CONFIG.NEW)
│   ├── ProdSW\         # Production software updates
│   └── NewSW\          # New software distributions
└── TS-XX\              # Individual machine folders
    └── Backup\         # Machine-specific backups

Connection Testing

Test Database Connection

mysql -h 172.16.3.30 -u claudetools -p claudetools
# Password: CT_e8fcd5a3952030a79ed6debae6c954ed

Test API Connectivity

curl http://172.16.3.30:8001/api/health

Test Gitea SSH

ssh -p 2222 git@172.16.3.20
# Should return: "Hi there! You've successfully authenticated..."

Test AD2 Access (from Dataforth network)

net use T: \\192.168.0.6\test /user:INTRANET\sysadmin Paper123!@#

Test NAS Access (from Dataforth network)

net use T: \\192.168.0.9\test

Security Notes

  • Never commit this file to public repositories
  • Credentials are stored unredacted for context recovery
  • ClaudeTools encrypts credentials in database with AES-256-GCM
  • JWT tokens expire after configured duration
  • SSH keys required for Gitea access (ed25519)
  • Dataforth network is isolated (192.168.0.0/24)
  • AD2 has SMB1 disabled for security (post crypto-attack)
  • All production credentials should be rotated regularly

VPN Access

Peaceful Spirit VPN (L2TP/IPSec)

  • Server IP: 98.190.129.150
  • Tunnel Type: L2TP/IPSec
  • Pre-Shared Key (PSK): z5zkNBds2V9eIkdey09Zm6Khil3DAZs8
  • Username: pst-admin
  • Password: 24Hearts$
  • Connection Name: Peaceful Spirit VPN
  • Purpose: Remote access to Peaceful Spirit Country Club network
  • Authentication: MS-CHAPv2 with PSK
  • Split Tunneling: Enabled (only CC traffic uses VPN)
  • Setup Script: D:\ClaudeTools\Create-PeacefulSpiritVPN.ps1
  • Quick Setup: D:\ClaudeTools\VPN_QUICK_SETUP.md

Network Configuration (UniFi Router at CC):

  • Remote Network: 192.168.0.0/24
  • DNS Server: 192.168.0.2
  • Gateway: 192.168.0.10

Complete Setup (Run as Administrator):

# Step 1: Create VPN connection with split tunneling
Add-VpnConnection -Name "Peaceful Spirit VPN" -ServerAddress "98.190.129.150" -TunnelType L2tp -L2tpPsk "z5zkNBds2V9eIkdey09Zm6Khil3DAZs8" -AuthenticationMethod MsChapv2 -EncryptionLevel Required -AllUserConnection -RememberCredential -SplitTunneling $true

# Step 2: Add route for CC network (192.168.0.0/24)
Add-VpnConnectionRoute -ConnectionName "Peaceful Spirit VPN" -DestinationPrefix "192.168.0.0/24" -AllUserConnection

# Step 3: Configure DNS server
Set-DnsClientServerAddress -InterfaceAlias "Peaceful Spirit VPN" -ServerAddresses "192.168.0.2"

# Step 4: Save credentials for pre-login access
rasdial "Peaceful Spirit VPN" "pst-admin" "24Hearts$"
rasdial "Peaceful Spirit VPN" /disconnect

# Step 5: Enable pre-login VPN
Set-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" -Name "UseRasCredentials" -Value 1 -Type DWord

Quick Connect:

rasdial "Peaceful Spirit VPN"

Disconnect:

rasdial "Peaceful Spirit VPN" /disconnect

Context Recovery Usage

When a new Claude session starts or context is lost:

  1. Read this file first - Get all credentials and infrastructure details
  2. Check session-logs/ - Find recent work and decisions
  3. Read SESSION_STATE.md - Get project status and phase
  4. Read .claude/claude.md - Get project overview

This ensures full context recovery without asking user for information already documented.

Reference in New Issue View Git Blame Copy Permalink