Cloned from: https://pagure.io/freeipa/issue/9712
### Issue
`ipa` upgrade fails after established trust with ad.
#### Steps to Reproduce
1. install `ipa 4.9.14`
2. configure `ipa` domain
3. establish trust with ad
4. install `ipa 4.9.14` + fixes from `ipa-4-9` branch.
The fix from https://pagure.io/freeipa/issue/9471 (https://pagure.io/freeipa/c/90eeb04e6973aae1ffb47813c65473b93f3da3a0) must be included to trigger the issue.
5. run `ipactl restart`
#### Actual behavior
`ipactl restart` fails with:
```
Job for ipa.service failed because the control process exited with error code.
See "systemctl status ipa.service" and "journalctl -xeu ipa.service" for details.
```
`ipaupgrade.log`:
```
2024-12-04T14:26:03Z DEBUG Executing upgrade plugin: update_tdo_to_new_layout
2024-12-04T14:26:03Z DEBUG raw: update_tdo_to_new_layout
2024-12-04T14:26:03Z DEBUG raw: adtrust_is_enabled(version='2.251')
2024-12-04T14:26:03Z DEBUG adtrust_is_enabled(version='2.251')
2024-12-04T14:26:03Z DEBUG raw: trustconfig_show(version='2.251')
2024-12-04T14:26:03Z DEBUG trustconfig_show(rights=False, trust_type='ad', all=False,
raw=False, version='2.251')
2024-12-04T14:26:03Z DEBUG Processing trust domain object cn=trustd.trustdomain,cn=ad,
cn=trusts,dc=freeipa,dc=testdomain
2024-12-04T14:26:03Z DEBUG Updating Kerberos principal entry for krbtgt/TRUSTD.TRUSTDO
MAIN@FREEIPA.TESTDOMAIN
2024-12-04T14:26:03Z DEBUG No update was required for Kerberos principal krbtgt/TRUSTD
.TRUSTDOMAIN@FREEIPA.TESTDOMAIN
2024-12-04T14:26:03Z DEBUG No need to update Kerberos keys for existing Kerberos princ
ipal krbtgt/TRUSTD.TRUSTDOMAIN@FREEIPA.TESTDOMAIN
2024-12-04T14:26:03Z DEBUG Adding Kerberos principal entry for krbtgt/TRUSTD@FREEIPA.T
ESTDOMAIN
2024-12-04T14:26:03Z DEBUG Destroyed connection context.ldap2_140061374847008
2024-12-04T14:26:03Z ERROR Upgrade failed with attribute "ipaAllowedToPerform;read_key
s" not allowed
```
`dirsrv` `access` log:
```
[04/Dec/2024:17:26:03.776162223 +0300] conn=4 op=462 SRCH base="krbprincipalname=krbtgt/TRUSTD.TRUSTDOMAIN@FREEIPA.TESTDOMAIN,cn=trustd.trustdomain,cn=ad,cn=trusts,dc=freeipa,dc=testdomain" scope=0 filter="(objectClass=*)" attrs=ALL
[04/Dec/2024:17:26:03.776540334 +0300] conn=4 op=462 RESULT err=0 tag=101 nentries=1 wtime=0.000897883 optime=0.000379332 etime=0.001274678
[04/Dec/2024:17:26:03.777233023 +0300] conn=4 op=463 SRCH base="krbprincipalname=krbtgt/TRUSTD@FREEIPA.TESTDOMAIN,cn=trustd.trustdomain,cn=ad,cn=trusts,dc=freeipa,dc=testdomain" scope=0 filter="(objectClass=*)" attrs=ALL
[04/Dec/2024:17:26:03.777452817 +0300] conn=4 op=463 RESULT err=32 tag=101 nentries=0 wtime=0.000669302 optime=0.000221026 etime=0.000887813
[04/Dec/2024:17:26:03.777659765 +0300] conn=4 op=464 SRCH base="krbprincipalname=TRUSTD$@FREEIPA.TESTDOMAIN,cn=trustd.trustdomain,cn=ad,cn=trusts,dc=freeipa,dc=testdomain" scope=0 filter="(objectClass=*)" attrs=ALL
[04/Dec/2024:17:26:03.778043269 +0300] conn=4 op=464 RESULT err=0 tag=101 nentries=1 wtime=0.000181995 optime=0.000383983 etime=0.000563519
[04/Dec/2024:17:26:03.778320457 +0300] conn=4 op=465 DEL dn="krbPrincipalName=TRUSTD$@FREEIPA.TESTDOMAIN,cn=trustd.trustdomain,cn=ad,cn=trusts,dc=freeipa,dc=testdomain"
[04/Dec/2024:17:26:03.787218288 +0300] conn=4 op=465 RESULT err=0 tag=107 nentries=0 wtime=0.000248254 optime=0.008902561 etime=0.009146789
[04/Dec/2024:17:26:03.788080996 +0300] conn=4 op=466 ADD dn="krbprincipalname=krbtgt/TRUSTD@FREEIPA.TESTDOMAIN,cn=trustd.trustdomain,cn=ad,cn=trusts,dc=freeipa,dc=testdomain"
[04/Dec/2024:17:26:03.789528942 +0300] conn=4 op=466 RESULT err=65 tag=105 nentries=0 wtime=0.000596456 optime=0.001453382 etime=0.002046431 - attribute "ipaAllowedToPerform;read_keys" not allowed
```
#### Expected behavior
No error.
#### Additional info
https://pagure.io/freeipa/c/90eeb04e6973aae1ffb47813c65473b93f3da3a0 triggers the issue.
Didn't check on today's `master`, it may be affected too.
Bug
Normal
RHBA-2024:139322
ipa bug fix and enhancement update