Menu Close

Chapter 14. Removing the trust using Ansible

This section describes how to remove the Identity Management (IdM)/Active Directory (AD) trust on the IdM side by using an Ansible playbook.

Prerequisites

  • You have obtained a Kerberos ticket as an IdM administrator. For details, see Logging in to IdM in the Web UI: Using a Kerberos ticket.

  • You have configured an Ansible control node that meets the following requirements:

    • You are using Ansible version 2.8 or later.
    • You have installed the ansible-freeipa package.
    • In the ~/MyPlaybooks/ directory, you have created an Ansible inventory file with the fully-qualified domain name (FQDN) of the IdM server on which you are removing the trust.

Procedure

  1. Navigate to your ~/MyPlaybooks/ directory: 

    $ cd ~/MyPlaybooks/

  2. Create an del-trust.yml playbook with the following content: 

    ---
- name: Playbook to delete trust
  hosts: ipaserver
  become: true

  tasks:
    - name: ensure the trust is absent
      ipatrust:
        ipaadmin_password: SomeADMINpassword
        realm: ad.example.com
        state: absent

    In the example, realm defines the AD realm name string.

  3. Save the file.

  4. Run the Ansible playbook specifying the playbook file and the inventory file: 

    $ ansible-playbook -v -i inventory del-trust.yml

Verification steps

  • Use the ipa trust-show command to confirm that the trust has been removed. 

    [root@server ~]# ipa trust-show ad.example.com
ipa: ERROR: ad.example.com: trust not found

Additional resources

  • /usr/share/doc/ansible-freeipa/README-trust.md
  • /usr/share/doc/ansible-freeipa/playbooks/trust