On 2018-01-13 the NUC6CAYH arrived, freeing up the NUC5i5RYH to become Baobei, the machine running Microsoft Windows and its task preparation and accounting packages. Here's what I did to set that up.
Symptom: it would not wake on LAN from S5. Actually I did this late, should have done it first. The following is from after I installed BIOS 0367 and reverted explicitly to factory defaults (press F9). All settings were left alone except as noted.
How should I set the
Primary Power Setting? The only
differences that I can see are in Package Power Limit 1 (Sustained)
which is 20W for Max (the factory default), 15W for Balanced, 8W for
low power. And also an averaging window changes. Burst mode is 25W
for all. If the machine encounters a task requiring a lot of CPU, if
allowed 8W it will run longer but cooler, or at 20W it goes quicker but
hotter. Or with more power a game's frame rate can be higher. Hotter
means more fan noise and in theory can shorten the life of the CPU, but
I doubt that it gets hot enough on the factory default setting of Max
to do damage; you need to get into the overclocking menu to really do a
roast job. For my use case in Windows, most of my computation is in
burst mode, and I doubt I will notice any difference between different
values of Primary Power Setting.
Ben bought us a product key for Windows 10 Pro ($35). It's recorded in win10-key.txt (not publicly readable). The reason for getting the Pro edition is to get a RDP server. Win10 Home has a RDP client but not the server. Here are the steps in getting the media.
Download Windows to the local disc first. 4.4Gb at 5.3Mb/sec, about 15 mins.
Remove Iris' disc. Hiatus while the new Iris is set up under the name of Iris.
Replace it with a new Seagate Barracuda 500Gb ST500LM030 ($46). Its serno: WDETD8Z6
Copy the ISO image to a USB flash stick:
dd if=/tmp/Win10_1709_English_x64.iso of=/dev/sdb
dd rate: 4.9Mb/sec (like a snail). Linux agrees that it has turned into an ISO 9660 CDROM.
Boot from this device. Unable to boot the installation media. Both UEFI and legacy booters think it exists but is not bootable.
Second howto on Webupd8.org by Andrew, 2016-06-09.
Look for woeusb, it's on SuSE Build Service in a dev's homedir.
Original WinUSB by Colin GILLES, forked by slacka into woeusb.
zypper install http:whatever.
It appears to use grub as the booter, with the EFI module installed.
woeusb --help for the help. (No man page.) Command line:
/dev/sdb is the USB flash stick.
woeusb -v --label WIN10INS --device /tmp/Win10_1709_English_x64.iso /dev/sdb
install.wim is the biggest file on the disc, be patient. One problem was encountered: it installed grub to do the legacy boot but grub2-install had to revert to blocklists which are deprecated; they will break if the referent file(s) are moved. But this is unlikely on installation media :-)
I booted the media. Looks like it attempted legacy boot and failed. I restarted the machine, got the boot menu (F10 at the splash screen), and picked UEFI boot USB device. It booted the Windows installer.
We're going to install Windows, then check things out. Hostname to be orion.
Once it boots it asks you for this setup information:
Do this later)
These are additional setup steps to get it working on my network.
Click on the Network icon (lower right corner). Ignore Wi-fi. (This machine has builtin Wi-Fi which is irrelevant for this use case.) Hit Network (the top row).
Change to Private network. Allows printing and file sharing.
Click on Configre Firewall and Security (opens Windows Defender).
Allow app(s) through firewall: Click on
While we're at it, let's do the whole setup.
As this is written, Ben says the current build number is 16299.192 .
We are now at 16299.15 which I think is just what's on the installation
media. If you hit
Check for Updates it may or may not find some
after a ridiculously long time, but makes no progress downloading the
ones that were found.
Skipping a page of troubleshooting steps. I power cycled Jacinth and things got a lot better.
Short story on Windows Update: on some but not all content delivery nodes, IPv6 is screwed up. Sometimes you can update using IPv6 and sometimes you can't. I disabled IPv6 on the network adapter and got the updates. Build number 16299.192 which is current as of 2018-01-18.
SSH client: Recommendations from www.ssh.com: They're still recommending Bitvise Tunnelier. Installed, working, both shell and SFTP.
Office 2007, from our CD media, using our USB CD drive.
Evince -- but how do you get Edge (etc) to use it as the default viewer?
Turbo Tax -- Downloaded from Intuit.
I'm using the Remmina client on Linux; see the next section. But it absolutely could not connect to the RDP server. Skipping another page or two of troubleshooting steps. Ben and I worked together to break this loose. The issue turns out to be, there are 3 choices for the security protocol:
RDP: not sure what this really is, but it may mean no encryption for anything.
TLS: Like HTTPS, it appears to tunnel the RDP security protocol as well as the content over an initially opened TLS connection. The server creates a lameass self-signed certificate for this, which the client cannot trust and has to make a security exception for.
NLA: Network Level Authentication. This means to do SPNEGO
(Simple and Protected GSSAPI Negotiation Mechanism) which
uses GSSAPI (Generic Security Services Application Program
Interface) to negotiate a mechanism, which invariably ends up
picking Kerberos to securely and robustly authenticate the client.
Provided that the server has Active Directory configured and has
appropriate credentials to decrypt the service ticket that it will
receive from the KDC (one of the steps in
domain). I'm not sure if the content gets encrypted.
Negotiate is another choice for the client, but as a
security intervention, RDP on Windows 10 has mandatory NLA set by
default and the procedure to turn it off is hidden.
Jimc of course has a functioning Kerberos and LDAP infrastructure for Linux, but does not have the LDAP schema to do Active Directory, and does not have the inclination to set this up just for this one Windows machine.
Another possibility is to do the remote desktop thing by VNC. I actually installed the TightVNC server on Baobei and used it successfully. But our security rules require that authentication data, and preferably the entire content, be encrypted on the wire, similar to what SSH does. That would mean setting up an intra-data-center VPN from the Financial Manager's machine to Baobei. While that kind of thing is a best practice in the corporate world, particularly with outsourced colocation services, it would be ridiculous overkill in our situation. There are also useability issues with VNC authentication which reduce the WAF (Wife Acceptance Factor) of VNC. So I will continue debugging RDP, with its intrinsic security.
Ben finally found this procedure to turn off NLA. Then TLS could be used successfully.
Require Network Level Authentication (NLA)is checked and you can't un-check it.
Allow connections only from computers using Network Level Authentication (recommended). Un-check it. Hit OK.
5 of the Best Linux Remote Desktop Clients, on Techradar. RealVNC, TigerVNC, TightVNC do VNC only, so don't help me. Remmina and Vinagre can do both RDP and VNC, and can make the connection over a SSH forwarded port (if the target has a SSH server, not typical for Windows). Remmina can spawn SSH shell sessions (and several other remote desktop protocols, using plugins). Since my Linux machines already have Remmina and don't have Vinagre, I'm concentrating on Remmina.
It is assumed that the reader will have used the procedure detailed above to not insist on NLA. A couple of pages of troubleshooting steps, involving NLA being required and not having the required Kerberos ticket, have been omitted.
How to use Remmina: preparing a connection profile. Hit +, or right click on an existing connection line and pick edit.
Basic tab (click the icon)
Use Client Resolution. Otherwise pick a custom resolution that fits your screen.
Advanced tab (click the icon)
Bestis useable on a LAN; includes desktop wallpaper. Downgrade to
Pooron a slow data link.
How tp use Remmina: making the connection. Double-click the connection row, or right click and pick Connect. Accept the lame self-signed cert from the target (first time only). You will get a window with a framebuffer as if on the target's console. Authenticate to the Windows greeter, and do your thing. When you sign out, the connection will be closed and the framebuffer window will vanish. (VNC works similarly, assuming a VNC server is running on the target.)
Tweaking remmina startup preferences: ~/.config/remmina/remmina.pref
Windows does not really have the concept of multi-user operation. If the same user is already logged in to the target, e.g. at the console, that instance will be locked, and the RDP session will see the ongoing framebuffer and will have input focus. When the user disconnects RDP (without signing out), the other instance will unlock. When different users are involved I'm not sure what will happen, but this is not something Windows is designed to do. Remote Assistance uses RDP, and both instances would then be able to see the session and to provide input.
TightVNC-2.8.8 includes a server and a viewer. The installer also associates .vnc files with the viewer; registers the server as a system service; allows simulated ctrl-alt-del; and makes a firewall hole for VNC. Post-install setup wizrd: you need to set a password for remote access and for the administrative interface. See nearby file (mode 600) for the password. The server is started immediately, and at reboot. Since I have RDP working, I'm going to de-install the VNC server.
The job now is to get user files off the virtual machine (Baobei) onto the
new bare metal machine (Orion), after which the VM will never be seen again,
and Orion will take over tha name and IPv4/6 addresses of Baobei. Actually
I renamed the VM to
baobei-vm just in case.
Start up Baobei (the VM) for the last time.
Clean up Alice's junk files, particularly
Use the Windows Migration Tool to pack up Alice's remaining stuff, and export it to the new Baobei. What Windows Migration Tool? That was last seen in Windows NT. You have to use a 3rd party tool or do it by hand. It should have been possible to set up CIFS, but it didn't work out (or I missed something obvious). I'm going to do this by SSH.
Windows-10 has a builtin SSH server, but you have to put the machine in developer mode. Well, some people (including jimc) can't find it at all, and those who can install it can't get it to run. Let's try something else.
I ended up using the Bitvise server on Baobei, and the Bitvise client on Orion.
I transferred these files, all in C:\
Check that these items work:
I shared the C:/ drive on Baobei, and created a script on Diamond: /home/backup/baobei/baobei-suck. It mounts the whole drive and uses rsync to copy the wanted subdirectories into the backup area.
How I shared my C:/ drive in Windows 10:
Details in the backup script:
Windows is picky about creating files in the root directory. Normally on UNIX I have a control file that tells what I want to be backed up, but I had to hardwire the subdirectories into the backup-suck script.
The mount command line is:
mount.cifs "//baobei/C" /mnt -o credentials=/home/backup/baobei/pwfile,vers=3.0
The SMB protocol version must be specified explicitly as 3.0 (other values could conceivably work but were not tested.) The default value of 1.0 definitely fails from a Windows-10 server.
The credential file needs an absolute path (relative path fails). It contains key=value pairs, one per line, with no blanks around the '='; blanks are sent as part of the key or value causing failure. (smbclient removes the blanks.) The file needs to be mode 600 owned by root, and if it gets backed up, the backup media needs (and has) effective crypto protection against snooping. Here's a sample file. I think the domain is only used with Active Directory, but I gave it anyway.