The certificate policy manager is configured via the Windows GPO
entries instead of our custom ADMX/ADML counterpart. We were already able
to parse these entries but we were excluding them as they didn't start
with our Ubuntu-specific prefix.

The easiest way to make this work is to add the Ubuntu prefix to the
keys that we want to use in our certificate policy manager.

We will need to know both the domain and online status of the backend
for the certificate policy manager. Since the backend object contains
both of these, pass it along when creating the policy manager object.

This manager leverages the Samba implementation of certificate
autoenrollment. It contains a few patches and fixes on top of the
samba#master version of `gp_cert_auto_enroll_ext.py` file, that will
ultimately be upstreamed.

Autoenrollment is performed via a separate policy manager that runs a
helper Python script (`cert-autoenroll`) which communicates with the
Windows CEP/CES services through Samba. For better control and to avoid
unexpected behavior we vendor the required Samba files, which are
confirmed to work on all Ubuntu versions starting with (and including)
Jammy (22.04).

Samba has its own cache mechanism which stores information concerning
the applied GPOs which we are using in order to ensure idempotency.

By default, Samba would parse the .reg file itself (see the
process_group_policy method from the vendored code). However, it is
better to have this functionality entirely within adsys so we can
provide samba the pre-parsed list of GPO entries and override the entry
point of the extension. This ensures we don't operate on disk files
which can change at anytime (even during adsys policy application).
Doing this we also have better knowledge on the enabled/disabled state
of the GPO entry used to configure the policy.

The advanced configuration entries are passed via JSON to the external
script which then takes care to create the proper PReg entries that can
be used by Samba to apply additional logic when determining the policy
servers to use.

Fixes UDENG-1056

Similar to the adsys-gpolist, provide a way for users to dump the
certificate autoenrollment script for debugging purposes.

The Samba implementation creates the private directory with 0700
permissions and uses 0755 for the rest. We should honor that in our
implementation as well.

Additionally, create the global trust dir on the off chance it doesn't
already exist.

And change the naming from stateDir to sambaCacheDir to better reflect
what the path is used for.

Similar to our other policy manager behaviors, if the certificate policy
is either disabled or not configured, unenroll the machine if
applicable.

To avoid running the helper Python script on every policy apply,
determine if we actually need to unenroll by checking the existence of
the Samba cache directory. Additionally, update the Python script to
remove the directory after unenrollment is successful.

Because Python coverage can't be parallelized, avoid running these tests
in parallel.