ipa-sam: retrieve trusted domain account credential from the TDO itself
    
    When NRPC netr_ServerAuthenticate3 call is performed, a trusted AD DC
    would use trusted domain account to authenticate to Samba. This means
    that Samba would do internally samr_QueryUserInfo2 request with level 16
    (UserControlInformation), coming to PDB module via pdb_getsampwsid()
    call.
    
    For normal user or workstation accounts we expect to have Kerberos keys
    available and may be able to extract NTLM hash data from them. However,
    trusted domain account is not a normal Kebreros principal. It stores TDO
    credential in a different way. Since we never processed it through the
    pdb_getsampwsid() call, it was not possible to retrieve the NTLM hash
    for TDO account at all, hence netr_ServerAuthenticate3 call was failing.
    
    NTLM hash is used internally in Samba. An external communication with AD
    DC will use an AES-based session key that is derived from the TDO
    credential. The credential itself can  be treated as a plaintext here.
    
    Fix it by adding a recognition of the trusted domain object account and
    retrieve the NTLM hash from the correct attribute of the TDO.
    
    Fixes: https://pagure.io/freeipa/issue/9134
    
    Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
    Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>