ipa-kdb: Always allow services to get PAC if needed
    
    Previously, FreeIPA only allowed to issue PAC record in a ticket
    for the following principal types:
       - for IPA users
       - for a host principal of one of IPA masters
       - for a cifs/ or HTTP/ service on one of IPA masters
    
    To allow S4U2Self operations over trust to AD, an impersonating service
    must have PAC record in its TGT to be able to ask AD DCs for a S4U2Self
    ticket. It means any IPA service performing S4U2Self would need to have
    PAC record and the constraints above prevent it from doing so.
    
    However, depending on whether the service or host principal belongs to
    one of IPA masters, we need to set proper primary RID to 516 (domain
    controllers) or 515 (domain computers).
    
    Fixes: https://pagure.io/freeipa/issue/8319
    
    Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
    Reviewed-By: Isaac Boukris <iboukris@redhat.com>
    Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>