CHG2559496 - Cloud Firewall and VNet Peering
Change Record Template
CHG2559496 cloud firewall, vnet peering PEX 89686
Implementation and Validation
VNet Peering
- Review/Validate PR and TFE Plan
- Approve PR
- Merge PR
- Validate Plan and Apply
Test peering by adding host to AD from West US3 Epic-Shared-Infra to Identity Peering in Prod zwnltstlew001, and Indhus latest machine
Domain join
Domain to join is: ms.ds.uhc.com
user: locadm
password: Admin Passwords
kv/join_credentials/svc_blabla_ENV
svc_ is th user
password is the secret
add entries to /etc/hosts
QAS Section
/opt/quest/bin/vastool -u vasjoin -k /var/chef/cache/cookbooks/optum_rhel_qas/files/ms-vasjoin.keytab join -f -n $(hostname -f) -c 'OU=RHEL-9,OU=RHEL,OU=Epic,OU=Azure,OU=Public-Cloud-VMs,OU=Servers,OU=UHT,OU=UHG,DC=ms,DC=ds,DC=uhc,DC=com' --preload-nested-memberships ms.ds.uhc.com
/opt/quest/bin/vastool -u vasjoin -k /var/chef/cache/cookbooks/optum_rhel_qas/files/ms-vasjoin.keytab join -f -n $(hostname -f) -c 'OU=RHEL-9,OU=RHEL,OU=Epic,OU=Azure,OU=Public-Cloud-VMs,OU=Servers,OU=UHT,OU=UHG,OU=MS_PROD,DC=msnonprod,DC=dsnonprod,DC=uhc,DC=com' --preload-nested-memberships msnonprod.dsnonprod.uhc.com
SSSD Implementation
To configure SSSD (System Security Services Daemon) to use Active Directory (AD) for authentication, follow these steps. This assumes you are working on a Linux system like RHEL, CentOS, or Ubuntu. Prerequisites
-
Ensure the system is joined to the AD domain using realmd, adcli, or similar tools.
-
Install required packages:
sudo dnf install sssd sssd-ad sssd-tools realmd oddjob oddjob-mkhomedir adcli samba-common-tools -y
For RHEL/CentOS
sudo apt-get install sssd sssd-tools realmd adcli oddjob oddjob-mkhomedir -y
For Ubuntu/Debian
-
Verify DNS configuration points to your AD domain controllers.
-
Ensure time synchronization with AD by enabling and starting the NTP or chrony service:
sudo systemctl enable chronyd --now # For RHEL/CentOS
sudo systemctl enable ntp --now # For Ubuntu/Debian
- Join the AD Domain
Use realm to join the system to the AD domain:
sudo realm join --user=AD_ADMIN_USER domain.example.com
You will be prompted for the AD_ADMIN_USER password. Successful joining configures basic /etc/sssd/sssd.conf.
- Configure SSSD
Edit /etc/sssd/sssd.conf to ensure proper configuration. Example: [sssd] domains = domain.example.com config_file_version = 2 services = nss, pam [domain/domain.example.com] ad_domain = domain.example.com krb5_realm = DOMAIN.EXAMPLE.COM realmd_tags = manages-system joined-with-samba cache_credentials = True id_provider = ad auth_provider = ad access_provider = ad
Optional: Auto-create home directories for AD users
default_shell = /bin/bash fallback_homedir = /home/%u use_fully_qualified_names = False # Use short names (e.g., "jdoe" instead of "[email protected]")
Advanced performance tuning
ldap_id_mapping = True
krb5_store_password_if_offline = True
Set appropriate permissions for the file:
sudo chmod 600 /etc/sssd/sssd.conf
sudo chown root:root /etc/sssd/sssd.conf
-
Configure PAM for Home Directory Creation
Enable oddjob-mkhomedir to create home directories on first login:
sudo systemctl enable oddjobd --nowEdit /etc/pam.d/common-session and /etc/pam.d/common-session-noninteractive to include:
session required pam_mkhomedir.so skel=/etc/skel/ umask=0077 -
Start and Enable SSSD
Restart and enable the sssd service:
sudo systemctl enable sssd --now -
Verify Configuration
Test Authentication: Check if an AD user can be resolved: getent passwd username Example output: username:*:12345678:12345678:John Doe:/home/username:/bin/bash
-
Login Test: Use an AD account to log in.
-
Troubleshooting
• Check SSSD logs for issues: • /var/log/sssd/sssd.log • /var/log/secure • /var/log/auth.log (Debian-based) • Debug with higher verbosity: sudo sssd -i -d4
• Ensure necessary ports (e.g., 389/636 for LDAP, 88/464 for Kerberos) are open. You should now have SSSD configured to authenticate against AD. If anything goes sideways, let me know what’s up, and we’ll get it sorted.
Checkout Plan
cloud - linux & windows to the Domain vnet, ping etc
VMs in the cloud test for testing: Linux: zwtlanssh001 (10.150.214.4) Windows: zwtwbcaee001 (10.150.209.6)
VMs in Epic shared for testing to join to prod domain: zwnltstlew001 (10.150.199.197) zwnwtstwew001 (10.150.199.198)
2177547735491373443-asr-pod01-prot2.cus.privatelink.siterecovery.windowsazure.com 10.153.6.73
2177547735491373443-asr-pod01-tel1.cus.privatelink.siterecovery.windowsazure.com 10.153.6.74
2177547735491373443-asr-pod01-srs1.cus.privatelink.siterecovery.windowsazure.com 10.153.6.76
2177547735491373443-asr-pod01-rcm1.cus.privatelink.siterecovery.windowsazure.com 10.153.6.77
2177547735491373443-asr-pod01-id1.cus.privatelink.siterecovery.windowsazure.com 10.153.6.78
2177547735491373443-ab-pod01-rec2.privatelink.cus.backup.windowsazure.com 10.153.6.81
2177547735491373443-ab-pod01-id1.privatelink.cus.backup.windowsazure.com 10.153.6.82