Disable canonicalization during password changes
    
    If canonicalization is enabled Active Directory KDCs return
    'krbtgt/AD.DOMAIN' as service name instead of the expected
    'kadmin/changepw' which causes a 'KDC reply did not match expectations'
    error.
    
    Additionally the forwardable and proxiable flags are disabled, the
    renewable lifetime is set to 0 and the lifetime of the ticket is set to
    5 minutes as recommended in https://fedorahosted.org/sssd/ticket/1405
    and also done by the kpasswd utility.
    
    Fixes: https://fedorahosted.org/sssd/ticket/1405
           https://fedorahosted.org/sssd/ticket/1615