Add the IPA version, and vendor version if applicable, to the beginning
of admintool logs -- both framework and indivitual tools that don't yet
use the framework.
This will make debugging easier.

https://fedorahosted.org/freeipa/ticket/4219

Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>

Part of the effort to port FreeIPA to Arch Linux,
where Python 3 is the default.

FreeIPA hasn't been ported to Python 3, so the code must be modified to
run /usr/bin/python2

https://fedorahosted.org/freeipa/ticket/3438

Updated by pviktori@redhat.com

The uninstall method of the AD trust instance was not called upon
at all in the ipa-server-install --uninstall phase.

This patch makes sure that AD trust instance is unconfigured when
the server is uninstalled.

The following steps are undertaken:
  * Remove /var/run/samba/krb5cc_samba
  * Remove our keys from /etc/samba/samba.keytab using ipa-rmkeytab
  * Remove /var/lib/samba/*.tdb files

Additionally, we make sure winbind service is stopped from within the
stop() method.

Part of: https://fedorahosted.org/freeipa/ticket/3479

In case /etc/samba/smb.conf exists and it was not created by ipa-adtrust-install,
print a warning that we will break existing samba configuration and ask for
a confirmation in the interactive mode.

Part of: https://fedorahosted.org/freeipa/ticket/3479

If the IPA server is setup with non-matching domain and realm
names, it will not be able to estabilish trust with the Active
Directory.

Adds warnings to the ipa-server-install and warning to the
ipa-adtrust-install (which has to be confirmed).

Man pages for the ipa-server-install and ipa-adtrust-install were
updated with the relevant notes.

https://fedorahosted.org/freeipa/ticket/3924

Enables  support  for  trusted  domains  users  for old clients through Schema
Compatibility plugin.  SSSD supports trusted domains natively starting with
version 1.9 platform. For platforms that lack SSSD or run older SSSD version
one needs  to  use  this  option.  When  enabled, slapi-nis  package  needs  to
be  installed  and schema-compat-plugin will be configured to provide lookup of
users and groups from trusted domains via SSSD on IPA server. These users and
groups will be available under  cn=users,cn=compat,$SUFFIX  and
cn=groups,cn=compat,$SUFFIX trees.  SSSD will normalize names of users and
groups to lower case.

In  addition  to  providing  these users and groups through the compat tree,
this option enables authentication over LDAP for trusted domain users with DN
under compat tree, i.e. using bind DN uid=administrator@ad.domain,cn=users,cn=compat,$SUFFIX.

This authentication  is related to  PAM  stack  using  'system-auth' PAM
service. If you have disabled HBAC rule 'allow_all', then make sure there is
special service called 'system-auth' created and HBAC rule to allow access to
anyone to this rule on IPA masters is added. Please note that system-auth PAM
service is  not used directly by any other application, therefore it is safe to
create one specifically to support trusted domain users via compatibility path.

https://fedorahosted.org/freeipa/ticket/3567

Unattended ipa-adtrust-install used to fail if --netbios option
was not provided. This patches fixes this, so that instead of
failing the default NETBIOS name is used.

https://fedorahosted.org/freeipa/ticket/3497

Remove all unused LDAP-related imports, plus some other ones.

This should make it easier to quickly check what uses which LDAP wrapper

When ipa-adtrust-install is run, check if there are any objects
that need have SID generated. If yes, interactively ask the user
if the sidgen task should be run.

https://fedorahosted.org/freeipa/ticket/3195