Red Hat Summit Red Hat SummitSupportConsoleDevelopersStart a trialContact

Chapter 14. Removing the trust using Ansible

You can remove the Identity Management (IdM)/Active Directory (AD) trust on the IdM side by using an Ansible playbook.

Prerequisites

  • You have obtained a Kerberos ticket as an IdM administrator. For details, see Logging in to IdM in the Web UI: Using a Kerberos ticket.

  • You have configured your Ansible control node to meet the following requirements:

    • You are using Ansible version 2.15 or later.
    • You have installed the freeipa.ansible_freeipa collection.
    • The example assumes that in the ~/MyPlaybooks/ directory, you have created an Ansible inventory file with the fully-qualified domain name (FQDN) of the IdM server.
    • The example assumes that the secret.yml Ansible vault stores your ipaadmin_password and that you have access to a file that stores the password protecting the secret.yml file.
  • The target node, that is the node on which the freeipa.ansible_freeipa module is executed, is part of the IdM domain as an IdM client, server or replica.

Procedure

  1. Navigate to your ~/MyPlaybooks/ directory: 

    $ cd ~/MyPlaybooks/
    Copy to Clipboard Toggle word wrap

  2. Create an del-trust.yml playbook with the following content: 

    ---
- name: Playbook to delete trust
  hosts: ipaserver

  vars_files:
  - /home/user_name/MyPlaybooks/secret.yml
  tasks:
    - name: ensure the trust is absent
      ipatrust:
        ipaadmin_password: "{{ ipaadmin_password }}"
        realm: ad.example.com
        state: absent
    Copy to Clipboard Toggle word wrap

    In the example, realm defines the AD realm name string.

  3. Save the file.

  4. Run the Ansible playbook. Specify the playbook file, the file storing the password protecting the secret.yml file, and the inventory file: 

    $ ansible-playbook --vault-password-file=password_file -v -i inventory del-trust.yml
    Copy to Clipboard Toggle word wrap
    Note

    Removing the trust configuration does not automatically remove the ID range IdM has created for AD users. This way, if you add the trust again, the existing ID range is re-used. Also, if AD users have created files on an IdM client, their POSIX IDs are preserved in the file metadata.

    To remove all information related to an AD trust, remove the AD user ID range after removing the trust configuration and trust object: 

    # ipa idrange-del AD.EXAMPLE.COM_id_range
# systemctl restart sssd
    Copy to Clipboard Toggle word wrap

Verification

  • Use the ipa trust-show command to confirm that the trust has been removed. 

    [root@server ~]# ipa trust-show ad.example.com
ipa: ERROR: ad.example.com: trust not found
    Copy to Clipboard Toggle word wrap
Back to top
Red Hat logoGithubredditYoutubeTwitter

Learn

Try, buy, & sell

Communities

About Red Hat Documentation

We help Red Hat users innovate and achieve their goals with our products and services with content they can trust. Explore our recent updates.

Making open source more inclusive

Red Hat is committed to replacing problematic language in our code, documentation, and web properties. For more details, see the Red Hat Blog.

About Red Hat

We deliver hardened solutions that make it easier for enterprises to work across platforms and environments, from the core datacenter to the network edge.

Theme

© 2025 Red Hat