Este conteúdo não está disponível no idioma selecionado.

Chapter 14. Removing the trust using Ansible

download PDF

Follow this procedure to remove the Identity Management (IdM)/Active Directory (AD) trust on the IdM side by using an Ansible playbook.


  • You have obtained a Kerberos ticket as an IdM administrator. For details, see Logging in to IdM in the Web UI: Using a Kerberos ticket.
  • You have configured your Ansible control node to meet the following requirements:

    • You are using Ansible version 2.14 or later.
    • You have installed the ansible-freeipa package on the Ansible controller.
    • The example assumes that in the ~/MyPlaybooks/ directory, you have created an Ansible inventory file with the fully-qualified domain name (FQDN) of the IdM server.
    • The example assumes that the secret.yml Ansible vault stores your ipaadmin_password.
  • The target node, that is the node on which the ansible-freeipa module is executed, is part of the IdM domain as an IdM client, server or replica.


  1. Navigate to your ~/MyPlaybooks/ directory:

    $ cd ~/MyPlaybooks/
  2. Create an del-trust.yml playbook with the following content:

    - name: Playbook to delete trust
      hosts: ipaserver
      - /home/user_name/MyPlaybooks/secret.yml
        - name: ensure the trust is absent
            ipaadmin_password: "{{ ipaadmin_password }}"
            state: absent

    In the example, realm defines the AD realm name string.

  3. Save the file.
  4. Run the Ansible playbook. Specify the playbook file, the file storing the password protecting the secret.yml file, and the inventory file:

    $ ansible-playbook --vault-password-file=password_file -v -i inventory del-trust.yml

Removing the trust configuration does not automatically remove the ID range IdM has created for AD users. This way, if you add the trust again, the existing ID range is re-used. Also, if AD users have created files on an IdM client, their POSIX IDs are preserved in the file metadata.

To remove all information related to an AD trust, remove the AD user ID range after removing the trust configuration and trust object:

# ipa idrange-del AD.EXAMPLE.COM_id_range
# systemctl restart sssd

Verification steps

  • Use the ipa trust-show command to confirm that the trust has been removed.

    [root@server ~]# ipa trust-show
    ipa: ERROR: trust not found

Additional resources

Red Hat logoGithubRedditYoutubeTwitter


Experimente, compre e venda


Sobre a documentação da Red Hat

Ajudamos os usuários da Red Hat a inovar e atingir seus objetivos com nossos produtos e serviços com conteúdo em que podem confiar.

Tornando o open source mais inclusivo

A Red Hat está comprometida em substituir a linguagem problemática em nosso código, documentação e propriedades da web. Para mais detalhes veja oBlog da Red Hat.

Sobre a Red Hat

Fornecemos soluções robustas que facilitam o trabalho das empresas em plataformas e ambientes, desde o data center principal até a borda da rede.

© 2024 Red Hat, Inc.