Navigation
OperationsUpdated July 3, 2026

CHG2559496 - Cloud Firewall and VNet Peering

operationschange-recordazurevnet-peeringfirewallnetworkingterraformdomain-join

Change Record Template

CHG2559496 cloud firewall, vnet peering PEX 89686

Implementation and Validation

VNet Peering

  • Review/Validate PR and TFE Plan
  • Approve PR
  • Merge PR
  • Validate Plan and Apply

Test peering by adding host to AD from West US3 Epic-Shared-Infra to Identity Peering in Prod zwnltstlew001, and Indhus latest machine

Domain join

Domain to join is: ms.ds.uhc.com user: locadm password: Admin Passwords

kv/join_credentials/svc_blabla_ENV
svc_ is th user
password is the secret

add entries to /etc/hosts

QAS Section

/opt/quest/bin/vastool -u vasjoin -k /var/chef/cache/cookbooks/optum_rhel_qas/files/ms-vasjoin.keytab join -f -n $(hostname -f) -c 'OU=RHEL-9,OU=RHEL,OU=Epic,OU=Azure,OU=Public-Cloud-VMs,OU=Servers,OU=UHT,OU=UHG,DC=ms,DC=ds,DC=uhc,DC=com' --preload-nested-memberships ms.ds.uhc.com

/opt/quest/bin/vastool -u vasjoin -k /var/chef/cache/cookbooks/optum_rhel_qas/files/ms-vasjoin.keytab join -f -n $(hostname -f) -c 'OU=RHEL-9,OU=RHEL,OU=Epic,OU=Azure,OU=Public-Cloud-VMs,OU=Servers,OU=UHT,OU=UHG,OU=MS_PROD,DC=msnonprod,DC=dsnonprod,DC=uhc,DC=com' --preload-nested-memberships msnonprod.dsnonprod.uhc.com

SSSD Implementation

To configure SSSD (System Security Services Daemon) to use Active Directory (AD) for authentication, follow these steps. This assumes you are working on a Linux system like RHEL, CentOS, or Ubuntu. Prerequisites

  1. Ensure the system is joined to the AD domain using realmd, adcli, or similar tools.

  2. Install required packages:

sudo dnf install sssd sssd-ad sssd-tools realmd oddjob oddjob-mkhomedir adcli samba-common-tools -y

For RHEL/CentOS

sudo apt-get install sssd sssd-tools realmd adcli oddjob oddjob-mkhomedir -y

For Ubuntu/Debian

  1. Verify DNS configuration points to your AD domain controllers.

  2. Ensure time synchronization with AD by enabling and starting the NTP or chrony service:

sudo systemctl enable chronyd --now # For RHEL/CentOS sudo systemctl enable ntp --now # For Ubuntu/Debian

  1. Join the AD Domain

Use realm to join the system to the AD domain: sudo realm join --user=AD_ADMIN_USER domain.example.com You will be prompted for the AD_ADMIN_USER password. Successful joining configures basic /etc/sssd/sssd.conf.

  1. Configure SSSD

Edit /etc/sssd/sssd.conf to ensure proper configuration. Example: [sssd] domains = domain.example.com config_file_version = 2 services = nss, pam [domain/domain.example.com] ad_domain = domain.example.com krb5_realm = DOMAIN.EXAMPLE.COM realmd_tags = manages-system joined-with-samba cache_credentials = True id_provider = ad auth_provider = ad access_provider = ad

Optional: Auto-create home directories for AD users

default_shell = /bin/bash fallback_homedir = /home/%u use_fully_qualified_names = False # Use short names (e.g., "jdoe" instead of "[email protected]")

Advanced performance tuning

ldap_id_mapping = True krb5_store_password_if_offline = True Set appropriate permissions for the file: sudo chmod 600 /etc/sssd/sssd.conf sudo chown root:root /etc/sssd/sssd.conf

  1. Configure PAM for Home Directory Creation

    Enable oddjob-mkhomedir to create home directories on first login: sudo systemctl enable oddjobd --now

    Edit /etc/pam.d/common-session and /etc/pam.d/common-session-noninteractive to include: session required pam_mkhomedir.so skel=/etc/skel/ umask=0077

  2. Start and Enable SSSD

    Restart and enable the sssd service: sudo systemctl enable sssd --now

  3. Verify Configuration

    Test Authentication: Check if an AD user can be resolved: getent passwd username Example output: username:*:12345678:12345678:John Doe:/home/username:/bin/bash

  4. Login Test: Use an AD account to log in.

  5. Troubleshooting

    • Check SSSD logs for issues: • /var/log/sssd/sssd.log • /var/log/secure • /var/log/auth.log (Debian-based) • Debug with higher verbosity: sudo sssd -i -d4

• Ensure necessary ports (e.g., 389/636 for LDAP, 88/464 for Kerberos) are open. You should now have SSSD configured to authenticate against AD. If anything goes sideways, let me know what’s up, and we’ll get it sorted.

Checkout Plan

cloud - linux & windows to the Domain vnet, ping etc

VMs in the cloud test for testing: Linux: zwtlanssh001 (10.150.214.4) Windows: zwtwbcaee001 (10.150.209.6)

VMs in Epic shared for testing to join to prod domain: zwnltstlew001 (10.150.199.197) zwnwtstwew001 (10.150.199.198)

2177547735491373443-asr-pod01-prot2.cus.privatelink.siterecovery.windowsazure.com 10.153.6.73

2177547735491373443-asr-pod01-tel1.cus.privatelink.siterecovery.windowsazure.com 10.153.6.74

2177547735491373443-asr-pod01-srs1.cus.privatelink.siterecovery.windowsazure.com 10.153.6.76

2177547735491373443-asr-pod01-rcm1.cus.privatelink.siterecovery.windowsazure.com 10.153.6.77

2177547735491373443-asr-pod01-id1.cus.privatelink.siterecovery.windowsazure.com 10.153.6.78

2177547735491373443-ab-pod01-rec2.privatelink.cus.backup.windowsazure.com 10.153.6.81

2177547735491373443-ab-pod01-id1.privatelink.cus.backup.windowsazure.com 10.153.6.82