110812b ipa-kdb: add asserted identity SIDs

Authored and Committed by abbra 3 years ago
    ipa-kdb: add asserted identity SIDs
    
    Depending on whether identity of a principal was asserted by the KDC or
    by a service doing protocol transition (S4U2Self), AD DCs add a
    special extra SID to a PAC record:
    
     - S-1-18-1 is a SID for an Authentication Authority Asserted Identity
     - S-1-18-2 is a SID for a Service Asserted Identity
    
    This behavior is governed by [MS-SFU] 3.2.5.1.2 "KDC replies with Service
    Ticket".
    
    In order to add an asserted identity SID, we need to pass down the
    client flags as set by the KDC and check for a protocol transition bit.
    
    Fixes: https://pagure.io/freeipa/issue/8319
    Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
    Reviewed-By: Isaac Boukris <iboukris@redhat.com>
    Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>