ipa-client-samba: a tool to configure Samba domain member on IPA client

Introduces new utility to configure Samba on an IPA domain member.

The tool sets up Samba configuration and internal databases, creates
cifs/... Kerberos service and makes sure that a keytab for this service
contains the key with the same randomly generated password that is set
in the internal Samba databases.

Samba configuration is created by querying an IPA master about details
of trust to Active Directory configuration. All known identity ranges
added to the configuration to allow Samba to properly handle them
(read-only) via idmap_sss.

Resulting configuration allows connection with both NTLMSSP and Kerberos
authentication for IPA users. Access controls for the shared content
should be set by utilizing POSIX ACLs on the file system under a
specific share.

The utility is packaged as freeipa-client-samba package to allow pulling
in all required dependencies for Samba and cifs.ko (smb3.ko) kernel
module. This allows an IPA client to become both an SMB server and an
SMB client.

Fixes: https://pagure.io/freeipa/issue/3999
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>

ipaserver/install/plugins/adtrust.py

@@ -740,7 +740,7 @@ class update_host_cifs_keytabs(Updater):
 
     def extract_key_refs(self, keytab):
         host_princ = self.host_princ_template.format(
-            master=self.api.host, realm=self.api.realm)
+            master=self.api.env.host, realm=self.api.env.realm)
         result = ipautil.run([paths.KLIST, "-etK", "-k", keytab],
                              capture_output=True, raiseonerr=False,
                              nolog_output=True)