ipa/client: Ignore hosts still hooked up with FAS
This is necessary because:
- The ipa/client role is pulled in if only one host is in the play which
uses it.
- The prepare-ipa-info tasks operate on all hosts in the play in order
to gather together operations on the IPA server which would otherwise
be (potentially, unnecessarily) repeated for many hosts in the play
and which have to be serialized to avoid race conditions when changing
data in IPA.
For now, we set `primary_auth_source` to `fas` for `all`, and to `ipa`
for the `staging` group. We can set this to `ipa` for individual host
groups in prod to enable this piece meal while we roll out the change.
Fixes: https://pagure.io/fedora-infrastructure/issue/9674
Signed-off-by: Nils Philippsen <nils@redhat.com>