ipaserver/dcerpc.py: use Kerberos authentication for discovery
    
    In FIPS mode we cannot rely on NTLMSSP at all, so we have ensure
    Kerberos is used by Samba Python libraries. This is achieved by
    requiring credentials objects to always use Kerberos authentication.
    
    Additionally, we have to normalize the principal used to authenticate.
    In case it was passed without realm, add forest root domain as a realm.
    In case it was passed with NetBIOS domain name, remove it and replace
    with a realm. Since we only know about the forest root domain as a
    realm, require that for other domains' users a real Kerberos principal
    is specified.
    
    Fixes: https://pagure.io/freeipa/issue/8655
    Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
    Reviewed-By: Rob Crittenden <rcritten@redhat.com>