Add separate attribute to store trusted domain SID

We need two attributes in the ipaNTTrustedDomain objectclass to store different
kind of SID. Currently ipaNTSecurityIdentifier is used to store the Domain-SID
of the trusted domain. A second attribute is needed to store the SID for the
trusted domain user. Since it cannot be derived safely from other values and
since it does not make sense to create a separate object for the user a new
attribute is needed.

https://fedorahosted.org/freeipa/ticket/2191

install/share/replica-s4u2proxy.ldif

@@ -2,8 +2,17 @@ dn: cn=ipa-http-delegation,cn=s4u2proxy,cn=etc,$SUFFIX
 changetype: modify
 add: memberPrincipal
 memberPrincipal: HTTP/$FQDN@$REALM
+-
+add: ipaAllowedTarget
+ipaAllowedTarget: cn=ipa-cifs-delegation-targets,cn=s4u2proxy,cn=etc,$SUFFIX
 
 dn: cn=ipa-ldap-delegation-targets,cn=s4u2proxy,cn=etc,$SUFFIX
 changetype: modify
 add: memberPrincipal
 memberPrincipal: ldap/$FQDN@$REALM
+
+dn: cn=ipa-cifs-delegation-targets,cn=s4u2proxy,cn=etc,$SUFFIX
+changetype: modify
+add: memberPrincipal
+memberPrincipal: cifs/$FQDN@$REALM
+