extra_attrs can be a list of sysdb_attrs which are not available on the
server side but should be store with the cached user entry.

If the sssd.conf domain name was different from the joined domain name,
but sssd was joined to the forest root, the AD subdomains code considered
sssd joined to a non-root domain and tried to discover the forest root.

This could be reproduced by joining sssd to a domain, for example
win.trust.test but calling the sssd.conf domain otherwise, for example:
[domain/addomain]
ad_domain = win.trust.test

This is/was a frequent use-case in the RHEL world, where authconfig
often names the sssd.conf domain 'default'.

Without the patch, the trusted domains were not detected.

Reviewed-by: Pavel Březina <pbrezina@redhat.com>

Currently in order to match multiple LDAP search results we
use two different functions - we have sysdb_try_to_find_expected_dn()
but also sdap_object_in_domain().

This patch removes sysdb_try_to_find_expected_dn() and add new
sdap_search_initgr_user_in_batch() based on sdap_object_in_domain().
This function covers necessary logic.

Resolves:
https://fedorahosted.org/sssd/ticket/3230

Reviewed-by: Sumit Bose <sbose@redhat.com>
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

Reviewed-by: Sumit Bose <sbose@redhat.com>
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

Add boolean to convert_attributes function and pass boolean as argument
to sudo conversion functions to add logic for skipping unexpected
entries like replication conflicts.

Resolves:
https://fedorahosted.org/sssd/ticket/3288

Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

It should be more clear to administrators that when SSSD internal
port status is set as PORT_NOT_WORKING, this does not directly relate
to an assumed network port-related issue.

Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

In case on any krb5 related error, we tried to send string
interpretation of krb5 error tb parrent in prepare_response.

However, we cannot use global krb5 context (krb5_error_ctx)
because the context is every time released in done section of
ldap_child_get_tgt_sync.

This patch rather return duplicated string to prevent use after free.

Backtrace:
 #0  __strchr_sse42 () at ../sysdeps/x86_64/multiarch/strchr.S:100
 100     ../sysdeps/x86_64/multiarch/strchr.S: No such file or directory.

 Thread 1 (Thread 0x7fc96cad5880 (LWP 11201)):
 #0  __strchr_sse42 () at ../sysdeps/x86_64/multiarch/strchr.S:100
 No locals.
 #1  0x00007fc96be43725 in err_fmt_fmt (msg=0x7fc96d1cf8d0 "Cannot find KDC for requested realm",
                                        code=-1765328230,
                                        err_fmt=<optimized out>) at kerrs.c:152
        buf = {buftype = K5BUF_DYNAMIC, data = 0x7fc96d1cdb10,
               space = 128, len = 0}
        p = <optimized out>
        s = 0xdededededededede <Address 0xdededededededede out of bounds>
 #2  krb5_get_error_message (ctx=<optimized out>,
                             code=code@entry=-1765328230) at kerrs.c:184
        std = 0x7fc96d1cf8d0 "Cannot find KDC for requested realm"
 #3  0x00007fc96cb224e5 in sss_krb5_get_error_message (ctx=<optimized out>,
                                                       ec=ec@entry=-1765328230) at src/util/sss_krb5.c:424
 No locals.
 #4  0x00007fc96cb1fbb0 in prepare_response (rsp=<synthetic pointer>,
                                             kerr=-1765328230, expire_time=0,
                                             ccname=0x0,
                                             mem_ctx=0x7fc96d1cb390) at src/providers/ldap/ldap_child.c:553
        ret = <optimized out>
        r = 0x7fc96d1cd8b0
        krb5_msg = 0x0

Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>