subdomains: Use AD admin credentials when trust is being established
    
    When AD administrator credentials passed, they stored in realm_passwd,
    not realm_password in the options.
    
    When passing credentials to ipaserver.dcerpc.fetch_domains(), make sure
    to normalize them.
    
    Additionally, force Samba auth module to use NTLMSSP in case we have
    credentials because at the point when trust is established, KDC is not
    yet ready to issue tickets to a service in the other realm due to
    MS-PAC information caching effects. The logic is a bit fuzzy because
    credentials code makes decisions on what to use based on the smb.conf
    parameters and Python bindings to set parameters to smb.conf make it so
    that auth module believes these parameters were overidden by the user
    through the command line and ignore some of options. We have to do calls
    in the right order to force NTLMSSP use instead of Kerberos.
    
    Fixes https://fedorahosted.org/freeipa/ticket/4046