trusts: format Kerberos principal properly when fetching trust topology
    
    For bidirectional trust if we have AD administrator credentials, we
    should be using them with Kerberos authentication. If we don't have
    AD administrator credentials, we should be using
    HTTP/ipa.master@IPA.REALM credentials. This means we should ask
    formatting 'creds' object in Kerberos style.
    
    For one-way trust we'll be fetching trust topology as TDO object,
    authenticating with pre-created Kerberos credentials cache, so in all
    cases we do use Kerberos authentication to talk to Active Directory
    domain controllers over cross-forest trust link.
    
    Part of trust refactoring series.
    Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1250190
    Fixes: https://fedorahosted.org/freeipa/ticket/5182
    Reviewed-By: Tomas Babej <tbabej@redhat.com>