ipa-kdb: add better detection of allowed user auth type
    
    If default user authentication type is set to a list that does not
    include a password or a hardened credential, the resulting configuration
    might be incorrect for special service principals, including a krbtgt/..
    one.
    
    Add detection of special principals to avoid these situations and always
    allow password or hardened for services.
    
    Special handling is needed for the following principals:
    
     - krbtgt/..       -- TGT service principals
     - K/M             -- master key principal
     - kadmin/changepw -- service for changing passwords
     - kadmin/kadmin   -- kadmin service principal
     - kadmin/history  -- key used to encrypt history
    
    Additionally, implicitly allow password or hardened credential use for
    IPA services and IPA hosts since applications typically use keytabs for
    that purpose.
    
    Fixes: https://pagure.io/freeipa/issue/9485
    
    Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
    Reviewed-By: Francisco Trivino <ftrivino@redhat.com>