[FFe]: Enable sssd-secrets service

Please enable the sssd-secrets service. This needs the MIR for http-parser (#1638957) to pass.

[Rationale]
From the MIR bug (#1638957):
The Debian sssd package has the secrets service enabled, and disabling it in the Ubuntu package is part of the delta we carry.

The secrets service can be used as a generic key/value database for secrets, and one of its consumers is a kerberos KDC via KCM (Kerberos Cache Manager), implemented by sssd-kcm. sssd-kcm gives users an option to store the credentials in a cache that persists reboots, as opposed to when it's stored in the kernel keyring or in /tmp, when that is a tmpfs.

sssd-secrets can also use a remote Custodia [https://github.com/simo5/custodia] (in Universe) server to store its secrets there.

sssd-secrets is unix socket activated and won't be running until there is a connection to that socket.

[Testing]
This is the testing that was done. Only the local store was tested, not the Custodia remote server case.

During testing, I found a related bug and filed a bug in debian about it with a related MP in salsa (https://bugs.debian.org/892315).

Quick simple test
=================
sudo add-apt-repository -y -u ppa:ahasenack/sssd-secrets-1638957
sudo apt install sssd

# Store a secret
$ curl -H "Content-Type: application/json" --unix-socket /var/run/secrets.socket -XPUT http://localhost/secrets/foo -d'{"type":"simple","value":"foosecret"}';echo
<html>
<head>
<title>200 OK</title></head>
<body>
<h1>OK</h1>
<p>Success</p>
</body>

# retrieve the secret
$ curl -H "Content-Type: application/json" --unix-socket /var/run/secrets.socket -XGET http://localhost/secrets/foo;echo
{
    "type": "simple",
    "value": "foosecret"
}

# try to retrieve the same secret but as a different user won't work because secrets are per user
$ sudo curl -H "Content-Type: application/json" --unix-socket /var/run/secrets.socket -XGET http://localhost/secrets/foo;echo
<html>
<head>
<title>404 Not Found</title></head>
<body>
<h1>Not Found</h1>
<p>The requested resource was not found.</p>
</body>

Extended test
=============
This is a more extended version of this verification and it tests the integration of the secrets service between three services: the secrets service itself, MIT kerberos client libraries, and the sssd-kcm service (kerberos cache manager).

sudo add-apt-repository -y -u ppa:ahasenack/sssd-secrets-1638957
sudo apt install sssd sssd-kcm

# use EXAMPLE.COM for the kerberos realm, and localhost for the admin and kdc servers, when prompted
sudo apt install krb5-user krb5-kdc krb5-admin-server

# the kdc will fail to start because there is no realm yet, that's ok. We will create it now. Use whatever password you want
sudo krb5_newrealm

# create a kerberos principal. This uses "secret" as a password
sudo kadmin.local -q "addprinc -pw secret ubuntu"

# edit /etc/krb5.conf and tell the library to use KCM by default
[libdefaults]
        default_ccache_name = KCM: # <-- add this line

# create /etc/sssd/sssd.conf with these contents:
[sssd]
config_file_version = 2
services = pam
domains = example.com

[pam]

[domain/example.com]
id_provider = proxy
proxy_lib_name = files
auth_provider = krb5
krb5_server = localhost
krb5_realm = EXAMPLE.COM

# adjust permissions
sudo chmod 0600 /etc/sssd/sssd.conf
sudo chown root:root /etc/sssd/sssd.conf

# (re)start sssd
sudo systemctl restart sssd

# test getting a ticket for "ubuntu". Notice how the cache is using "KCM":
ubuntu@bionic-sssd-http-parser:~$ kinit
Password for <email address hidden>:

ubuntu@bionic-sssd-http-parser:~$ klist
Ticket cache: KCM:1000
Default principal: <email address hidden>

Valid starting Expires Service principal
03/08/18 13:09:12 03/08/18 23:09:12 <email address hidden>
 renew until 03/09/18 13:09:10

# install ldb-tools
sudo apt install ldb-tools

# perform a search on the secrets database to see the entry created by kcm
$ sudo ldbsearch -H /var/lib/sss/secrets/secrets.ldb cn
# record 1
dn: cn=3615a3ca-b857-4ee6-ae70-3a82485276b3-1000,cn=ccache,cn=1000,cn=persistent,cn=kcm

# record 2
dn: cn=ccache,cn=1000,cn=persistent,cn=kcm

# returned 2 records
# 2 entries
# 0 referrals

# destroy the kerberos ticket and confirm it's gone from the secrets database
ubuntu@bionic-sssd-http-parser:~$ kdestroy
ubuntu@bionic-sssd-http-parser:~$ sudo ldbsearch -H /var/lib/sss/secrets/secrets.ldb cn
# returned 0 records
# 0 entries
# 0 referrals