Intel NUC5i5RYH
Becoming Baobei

Jim Carter, 2016-01-18, upated 2018-01-16

On 2018-01-13 the NUC6CAYH arrived, freeing up the NUC5i5RYH to become Baobei, the machine running Microsoft Windows and its task preparation and accounting packages. Here's what I did to set that up.

BIOS Setup

Symptom: it would not wake on LAN from S5. Actually I did this late, should have done it first. The following is from after I installed BIOS 0367 and reverted explicitly to factory defaults (press F9). All settings were left alone except as noted.

Primary power setting: Changed from Max Performance to Balanced. See the discussion below. You need to disable the current choice, then enable a different one.
After Power Failure = Stay Off (is the default).
S3 state indicator: was Blink 0.25Hz alternate color, changed to solid alternate color. Primary color is blue, alternate is amber.
Wake on LAN from S4/S5 = power on, normal boot (is the default).
Wake system from S5: default is Off, changed to On. This fixes my symptom.
USB S4/S5 power: Off (is the default).
Native ACPI OS PCIe Support: Off (is the default).
Result: it wakes on LAN now from S5.

How should I set the Primary Power Setting? The only differences that I can see are in Package Power Limit 1 (Sustained) which is 20W for Max (the factory default), 15W for Balanced, 8W for low power. And also an averaging window changes. Burst mode is 25W for all. If the machine encounters a task requiring a lot of CPU, if allowed 8W it will run longer but cooler, or at 20W it goes quicker but hotter. Or with more power a game's frame rate can be higher. Hotter means more fan noise and in theory can shorten the life of the CPU, but I doubt that it gets hot enough on the factory default setting of Max to do damage; you need to get into the overclocking menu to really do a roast job. For my use case in Windows, most of my computation is in burst mode, and I doubt I will notice any difference between different values of Primary Power Setting.

Windows 10 Pro License and Media

Ben bought us a product key for Windows 10 Pro ($35). It's recorded in win10-key.txt (not publicly readable). The reason for getting the Pro edition is to get a RDP server. Win10 Home has a RDP client but not the server. Here are the steps in getting the media.

Download Windows to the local disc first. 4.4Gb at 5.3Mb/sec, about 15 mins.
Remove Iris' disc. Hiatus while the new Iris is set up under the name of Iris.
Replace it with a new Seagate Barracuda 500Gb ST500LM030 ($46). Its serno: WDETD8Z6
Copy the ISO image to a USB flash stick:
dd if=/tmp/Win10_1709_English_x64.iso of=/dev/sdb
dd rate: 4.9Mb/sec (like a snail). Linux agrees that it has turned into an ISO 9660 CDROM.
Boot from this device. Unable to boot the installation media. Both UEFI and legacy booters think it exists but is not bootable.
First howto found on Venturebeat.com.
- Having the ISO image, start command.com...
- Apparent equivalent on Linux:
- parted /dev/sdb
- Delete any partitions that may be there.
- Create a primary partition (/dev/sdb1)
- Make it "active" (boot flag I assume). Also installs the booter (grub :-)
- Format with fat32. NTFS is also possible but needs different files.
- Mount the partition.
- Mount the ISO image
- Copy all the files recursively.
- I was lazy, and first tried the next solution, which I suspect is more satisfactory anyway.
Second howto on Webupd8.org by Andrew, 2016-06-09. Look for woeusb, it's on SuSE Build Service in a dev's homedir. Original WinUSB by Colin GILLES, forked by slacka into woeusb. zypper install http:whatever. It appears to use grub as the booter, with the EFI module installed. Do woeusb --help for the help. (No man page.) Command line: /dev/sdb is the USB flash stick.
woeusb -v --label WIN10INS --device /tmp/Win10_1709_English_x64.iso /dev/sdb

install.wim is the biggest file on the disc, be patient. One problem was encountered: it installed grub to do the legacy boot but grub2-install had to revert to blocklists which are deprecated; they will break if the referent file(s) are moved. But this is unlikely on installation media :-)
I booted the media. Looks like it attempted legacy boot and failed. I restarted the machine, got the boot menu (F10 at the splash screen), and picked UEFI boot USB device. It booted the Windows installer.

Steps in Window-10 Installation

We're going to install Windows, then check things out. Hostname to be orion.

It pre-fills your edition (Pro), region (en_US) and keyboard layout. Other sources give dire warnings if you try to change any of these. Hit Next.
Provide the product key.
Accept the EULA.
Installation type: since Windows is not on the disc (it's completely blank), change to Custom.
Partitioning: Get rid of any existing partitions. Put it on Drive 0 unallocated space (465.8Gb). The installer will give you a useable layout by itself (unless you have special needs). No changes, hit Next.
It installs stuff for 20 to 30 mins, then reboots.
Remove the installation media; you don't want to install again. (YaST would recognize this situation.) If you aren't watching and it does reboot the installer, you can remove the media, close the installer window, and it will reboot again. The booter uses a hybrid of the NUC splash screen and its own throbber and messages.
Booting for the first time takes a long time and involves additional reboot(s).

Setup Information

Once it boots it asks you for this setup information:

Region: US
Keyboard layout: US
Second keyboard layout: Skip it
Looking for updates (and validating network setup) It is not using Orion's IP addresses (neither IPv4 nor IPv6). Wrong, ping is blocked by the firewall. Network parameters are all correct. The first phase took forever, but eventually finished; now we have to wait for the second phase… Did it finish? It thinks so.
Actually the network slowness, first encountered here, was caused by a flakeout on Jacinth, the main router which is being replaced. Windows Update was done over later, with much better results.
Personal use (selected) or organizational (Active Directory?)
Create Alice's user account. This takes a long time, don't know why. Authenticate to (or create) your Microsoft account. Using the existing one (give password.)
Set a PIN for 2 factor auth. (Do this later)
Hey, look, that's me, Cortana. A circle that bounces like a puppy. Tell it No.
Privacy settings: Location off, diagnostics full, relevant ads off, speech recognition off, tailored experience off.
Long period of setup, probably lengthened by network problems.
Welcome to Windows (in web browser).
Problem connecting to OneDrive. Duh, it's not set up. Close it.
We are presumably now operational in single user mode. Looks like a normal desktop.

User Initiated Setup

These are additional setup steps to get it working on my network.

Click on the Network icon (lower right corner). Ignore Wi-fi. (This machine has builtin Wi-Fi which is irrelevant for this use case.) Hit Network (the top row).
Change to Private network. Allows printing and file sharing.
Click on Configre Firewall and Security (opens Windows Defender).
- Allow app(s) through firewall: Click on change settings, then:
  - Turn on Remote Desktop.
  - Turn on File and Printer Sharing.
  - Click on Add Another App, then Browse, then scroll to PING, double click, hit Add, finally hit OK. Ping packets are now answered.
- While we're at it, let's do the whole setup.
  - Virus and Threat Protection: is on, no action needed, so they say. Later we should do a virus scan to establish a baseline.
  - Device health: Everything is fine except it needs Windows Update.
  - Firewall and Network: is on, no action needed.
  - App and browser control: is on, no action needed.

Windows Update

As this is written, Ben says the current build number is 16299.192 . We are now at 16299.15 which I think is just what's on the installation media. If you hit Check for Updates it may or may not find some after a ridiculously long time, but makes no progress downloading the ones that were found.

Skipping a page of troubleshooting steps. I power cycled Jacinth and things got a lot better.

Short story on Windows Update: on some but not all content delivery nodes, IPv6 is screwed up. Sometimes you can update using IPv6 and sometimes you can't. I disabled IPv6 on the network adapter and got the updates. Build number 16299.192 which is current as of 2018-01-18.

Install Application Software

SSH client: Recommendations from www.ssh.com: They're still recommending Bitvise Tunnelier. Installed, working, both shell and SFTP.
Office 2007, from our CD media, using our USB CD drive.
Evince -- but how do you get Edge (etc) to use it as the default viewer?
Turbo Tax -- Downloaded from Intuit.

RDP Server on Windows

I'm using the Remmina client on Linux; see the next section. But it absolutely could not connect to the RDP server. Skipping another page or two of troubleshooting steps. Ben and I worked together to break this loose. The issue turns out to be, there are 3 choices for the security protocol:

RDP: not sure what this really is, but it may mean no encryption for anything.
TLS: Like HTTPS, it appears to tunnel the RDP security protocol as well as the content over an initially opened TLS connection. The server creates a lameass self-signed certificate for this, which the client cannot trust and has to make a security exception for.
NLA: Network Level Authentication. This means to do SPNEGO (Simple and Protected GSSAPI Negotiation Mechanism) which uses GSSAPI (Generic Security Services Application Program Interface) to negotiate a mechanism, which invariably ends up picking Kerberos to securely and robustly authenticate the client. Provided that the server has Active Directory configured and has appropriate credentials to decrypt the service ticket that it will receive from the KDC (one of the steps in joining the domain). I'm not sure if the content gets encrypted.
Negotiate is another choice for the client, but as a security intervention, RDP on Windows 10 has mandatory NLA set by default and the procedure to turn it off is hidden.
Jimc of course has a functioning Kerberos and LDAP infrastructure for Linux, but does not have the LDAP schema to do Active Directory, and does not have the inclination to set this up just for this one Windows machine.

Another possibility is to do the remote desktop thing by VNC. I actually installed the TightVNC server on Baobei and used it successfully. But our security rules require that authentication data, and preferably the entire content, be encrypted on the wire, similar to what SSH does. That would mean setting up an intra-data-center VPN from the Financial Manager's machine to Baobei. While that kind of thing is a best practice in the corporate world, particularly with outsourced colocation services, it would be ridiculous overkill in our situation. There are also useability issues with VNC authentication which reduce the WAF (Wife Acceptance Factor) of VNC. So I will continue debugging RDP, with its intrinsic security.

Ben finally found this procedure to turn off NLA. Then TLS could be used successfully.

Under Settings - System - Remote Access, enable Remote Access. But you find (in the very first stanza) that Require Network Level Authentication (NLA) is checked and you can't un-check it.
Click the Windows Pearl (the start thingy at the lower left corner).
Type "Control Panel" (not case sensitive, initial string works)
Click on it. This is the medium-old style Control Panel from Win7.
Click on System and Security.
Under System (3rd item) find Allow Remote Access. Click.
A normal Windows property box opens. Near the bottom, find Allow connections only from computers using Network Level Authentication (recommended). Un-check it. Hit OK.
Back in Settings… or in this control panel, authorize the needed users to use RDP. Members of the Administrator group are already authorized ex officio.

Linux RDP Client

5 of the Best Linux Remote Desktop Clients, on Techradar. RealVNC, TigerVNC, TightVNC do VNC only, so don't help me. Remmina and Vinagre can do both RDP and VNC, and can make the connection over a SSH forwarded port (if the target has a SSH server, not typical for Windows). Remmina can spawn SSH shell sessions (and several other remote desktop protocols, using plugins). Since my Linux machines already have Remmina and don't have Vinagre, I'm concentrating on Remmina.

It is assumed that the reader will have used the procedure detailed above to not insist on NLA. A couple of pages of troubleshooting steps, involving NLA being required and not having the required Kerberos ticket, have been omitted.

How to use Remmina: preparing a connection profile. Hit +, or right click on an existing connection line and pick edit.

Top Area
- In the top area, fill in a useful human-readable name (title).
- Select the main protocol from RDP (default), VNC, SSH. I'm using RDP.
- Leave blank the Group, Pre-command, Post-command.
Basic tab (click the icon)
- Fill in the server name (or IP). Use anything that the client host can resolve. Forum posts often recommend the IP (of the gateway) here because when NAT is involved the target's name is not going to resolve to the gateway IP.
- The user's name, password and domain (workgroup) are needed for some protocols, particularly RDP/NLA, but are useless for others like RDP/TLS or VNC. Leave blank. The program will ask for them if needed. Storing a password here is a security risk.
- Resolution: if the client and target have the same screen size and you'll be running it full-screen, then mark Use Client Resolution. Otherwise pick a custom resolution that fits your screen.
- Color Depth: Pick TrueColor 24bit. On a WAN you might try HighColor 16bit, but photos look terrible and it only saves 33% data rate.
- I've never tried Share Folder.
- I'm not sure whether automatic reconnection ever can be successful in situations I actually encounter, and it's annoying, 20 retries, when it fails.
Advanced tab (click the icon)
- Quality: Best is useable on a LAN; includes desktop wallpaper. Downgrade to Poor on a slow data link.
- Sound: I've never tried it.
- Security (authentication protocol): The choices are:
  - RDP: Not sure what you get, but I doubt encryption is involved. Avoid.
  - NLA: If the client and target have Kerberos (Active Directory) in the same realm or with cross-realm trust, NLA (Network Level Authentication) is superior. Otherwise you will be kicked off (which was my problem). Session content is encrypted.
  - TLS: Second best after NLA. This is what I used. The server will send over a lameass self-signed certificate, and I don't know how to make Baobei use its proper host cert for RDP.
  - Negotiate: On my net the client has a Kerberos ticket, but the target has no keytab, but they pick NLA anyway and fail. So I can't use Negotiate.
- Client Name: This is probably irrelevant but I provided the client's hostname.
- Ignore Certificate: Turn on unless you've figured out how to get the target to use a proper cert that you can trust.
- Disable password storing: Turn on if you're paranoid, i.e. you follow best practices.
- Leave the rest blank or off.

How tp use Remmina: making the connection. Double-click the connection row, or right click and pick Connect. Accept the lame self-signed cert from the target (first time only). You will get a window with a framebuffer as if on the target's console. Authenticate to the Windows greeter, and do your thing. When you sign out, the connection will be closed and the framebuffer window will vanish. (VNC works similarly, assuming a VNC server is running on the target.)

Tweaking remmina startup preferences: ~/.config/remmina/remmina.pref

Windows does not really have the concept of multi-user operation. If the same user is already logged in to the target, e.g. at the console, that instance will be locked, and the RDP session will see the ongoing framebuffer and will have input focus. When the user disconnects RDP (without signing out), the other instance will unlock. When different users are involved I'm not sure what will happen, but this is not something Windows is designed to do. Remote Assistance uses RDP, and both instances would then be able to see the session and to provide input.

Installing TightVNC server

TightVNC-2.8.8 includes a server and a viewer. The installer also associates .vnc files with the viewer; registers the server as a system service; allows simulated ctrl-alt-del; and makes a firewall hole for VNC. Post-install setup wizrd: you need to set a password for remote access and for the administrative interface. See nearby file (mode 600) for the password. The server is started immediately, and at reboot. Since I have RDP working, I'm going to de-install the VNC server.

Transplanting Baobei

The job now is to get user files off the virtual machine (Baobei) onto the new bare metal machine (Orion), after which the VM will never be seen again, and Orion will take over tha name and IPv4/6 addresses of Baobei. Actually I renamed the VM to baobei-vm just in case.

Start up Baobei (the VM) for the last time.
Clean up Alice's junk files, particularly
- Browser cache
- Downloads
- Photos, movies, etc.
- Trash bin
Use the Windows Migration Tool to pack up Alice's remaining stuff, and export it to the new Baobei. What Windows Migration Tool? That was last seen in Windows NT. You have to use a 3rd party tool or do it by hand. It should have been possible to set up CIFS, but it didn't work out (or I missed something obvious). I'm going to do this by SSH.
Windows-10 has a builtin SSH server, but you have to put the machine in developer mode. Well, some people (including jimc) can't find it at all, and those who can install it can't get it to run. Let's try something else.
I ended up using the Bitvise server on Baobei, and the Bitvise client on Orion.
I transferred these files, all in C:\
- \ChaoTiWang
- \WinJim
- \WORK
- Some but not all stuff in Alice's homedir.
Check that these items work:
- Microsoft Access on financial database [works]
- Turbo Tax on 2016 tax return [works]
- RDP [working; see long discussion above]
- Printer: lp2 on Diamond [prints]

How to Back Up Baobei

I shared the C:/ drive on Baobei, and created a script on Diamond: /home/backup/baobei/baobei-suck. It mounts the whole drive and uses rsync to copy the wanted subdirectories into the backup area.

How I shared my C:/ drive in Windows 10:

Start Windows Explorer,
in the left panel, under This PC find Local Disk (C:) and right click on it.
Select Give Access, and under that, Advanced Sharing.
A standard properties dialog appears including the Sharing tab, which should be preselected. The Share button is greyed out.
Hit Advanced Sharing.
In that box, click on Share This Folder. The default share name is 'C', the drive letter. Then click Permissions.
In the resulting box the default is to give Everyone read access only. For my purpose I changed to Alice, the user who will authenticate for backing up.
Close everything. //baobei/C can now be mounted on other hosts.

Details in the backup script:

Windows is picky about creating files in the root directory. Normally on UNIX I have a control file that tells what I want to be backed up, but I had to hardwire the subdirectories into the backup-suck script.
The mount command line is:
mount.cifs "//baobei/C" /mnt -o credentials=/home/backup/baobei/pwfile,vers=3.0
The SMB protocol version must be specified explicitly as 3.0 (other values could conceivably work but were not tested.) The default value of 1.0 definitely fails from a Windows-10 server.
The credential file needs an absolute path (relative path fails). It contains key=value pairs, one per line, with no blanks around the '='; blanks are sent as part of the key or value causing failure. (smbclient removes the blanks.) The file needs to be mode 600 owned by root, and if it gets backed up, the backup media needs (and has) effective crypto protection against snooping. Here's a sample file. I think the domain is only used with Active Directory, but I gave it anyway.
username=whoever
password=wouldntyouliketoknow
domain=WORKGROUP

Intel NUC5i5RYH Becoming Baobei

Transplanting Baobei

How to Back Up Baobei

Intel NUC5i5RYH
Becoming Baobei