Keytab retrieval: allow requesting arcfour-hmac for SMB services
    
    With system-wide crypto policy in use, arcfour-hmac encryption type
    might be removed from the list of permitted encryption types in the MIT
    Kerberos library. Applications aren't prevented to use the arcfour-hmac
    enctype if they operate on it directly.
    
    Since FreeIPA supported and default encryption types stored in LDAP, on
    the server side we don't directly use a set of permitted encryption
    types provided by the MIT Kerberos library. However, this set will be
    trimmed to disallow arcfour-hmac and other weaker types by default.
    
    While the arcfour-hmac key can be generated and retrieved, MIT Kerberos
    library will still not allow its use in Kerberos protocol if it is not
    on the list of permitted encryption types. We only need this workaround
    to allow setting up arcfour-hmac key for SMB services where arcfour-hmac
    key is used to validate communication between a domain member and its
    domain controller. Without this fix it will not be possible to request
    setting up a machine account credential from the domain member side. The
    latter is needed for Samba running on IPA client.
    
    Thus, extend filtering facilities in ipa-pwd-extop plugin to explicitly
    allow arcfour-hmac encryption type for SMB services (Kerberos principal
    name starts with cifs/).
    
    Reviewed-By: Christian Heimes <cheimes@redhat.com>