trusts: support subdomains in a forest
    
    Add IPA CLI to manage trust domains.
    
    ipa trust-fetch-domains <trust>      -- fetch list of subdomains from AD side and add new ones to IPA
    ipa trustdomain-find <trust>         -- show all available domains
    ipa trustdomain-del <trust> <domain> -- remove domain from IPA view about <trust>
    ipa trustdomain-enable <trust> <domain> -- allow users from trusted domain to access resources in IPA
    ipa trustdomain-disable <trust> <domain> -- disable access to resources in IPA from trusted domain
    
    By default all discovered trust domains are allowed to access IPA resources
    
    IPA KDC needs also information for authentication paths to subdomains in case they
    are not hierarchical under AD forest trust root. This information is managed via capaths
    section in krb5.conf. SSSD should be able to generate it once
    ticket https://fedorahosted.org/sssd/ticket/2093 is resolved.
    
    part of https://fedorahosted.org/freeipa/ticket/3909