Menu Close

Chapter 14. Removing the trust using Ansible

This section describes how to remove the Identity Management (IdM)/Active Directory (AD) trust on the IdM side by using an Ansible playbook.


  • You have obtained a Kerberos ticket as an IdM administrator. For details, see Logging in to IdM in the Web UI: Using a Kerberos ticket.
  • You have configured an Ansible control node that meets the following requirements:

    • You are using Ansible version 2.8 or later.
    • You have installed the ansible-freeipa package.
    • In the ~/MyPlaybooks/ directory, you have created an Ansible inventory file with the fully-qualified domain name (FQDN) of the IdM server on which you are removing the trust.


  1. Navigate to your ~/MyPlaybooks/ directory:

    $ cd ~/MyPlaybooks/
  2. Create an del-trust.yml playbook with the following content:

    - name: Playbook to delete trust
      hosts: ipaserver
      become: true
        - name: ensure the trust is absent
            ipaadmin_password: SomeADMINpassword
            state: absent

    In the example, realm defines the AD realm name string.

  3. Save the file.
  4. Run the Ansible playbook specifying the playbook file and the inventory file:

    $ ansible-playbook -v -i inventory del-trust.yml

Verification steps

  • Use the ipa trust-show command to confirm that the trust has been removed.

    [root@server ~]# ipa trust-show
    ipa: ERROR: trust not found

Additional resources

  • /usr/share/doc/ansible-freeipa/
  • /usr/share/doc/ansible-freeipa/playbooks/trust