With this change it's possible to bootstrap a KDC using a client
certificate with a PKINIT SAN for iprop/fqdn. Given such a certificate
one could run ipropd-slave via kinit to pull down the initial copy of
the HDB, then start the KDC services using the HDBGET: keytab.
That should make bootstrapping new secondary KDCs very easy.
One could bootstrap the KDC with such a certificate using, e.g.,
Safeboot (https://github.com/osresearch/safeboot), enrolling the host as
a KDC.
f90f055659