ipa-kdb: reinit mspac on HTTP TGT acquisition to aid trust-add case
    
    When trust is established, we also create idrange for the trusted domain.
    With FreeIPA 3.3 these ranges can have different types, and in order to
    detect which one is to create, we need to do lookup at AD LDAP server.
    
    Such lookup requires authenticated bind. We cannot bind as user because
    IPA framework operates under constrained delegation using the user's
    credentials and allowing HTTP/ipa.server@REALM to impersonate the user
    against trusted domain's services would require two major things:
    
      - first, as we don't really know exact AD LDAP server names (any AD DC
        can be used), constrained delegation would have to be defined against
        a wild-card
    
      - second, constrained delegation requires that target principal exists
        in IPA LDAP as DN.
    
    These two together limit use of user's ticket for the purpose of IPA
    framework looking up AD LDAP.
    
    Additionally, immediately after trust is established, issuing TGT with
    MS-PAC to HTTP/ipa.server@REALM may fail due to the fact that KDB driver
    did not yet refreshed its list of trusted domains -- we have limited
    refresh rate of 60 seconds by default.
    
    This patch makes possible to force re-initialization of trusted domains'
    view in KDB driver if we are asked for TGT for HTTP/ipa.server@REALM.
    
    We will need to improve refresh of trusted domains' view in KDB driver
    in future to notice changes in cn=etc,$SUFFIX tree automatically.
    
    This improvement is tracked in https://fedorahosted.org/freeipa/ticket/1302 and
    https://fedorahosted.org/freeipa/ticket/3626
    
    Part of https://fedorahosted.org/freeipa/ticket/3649