Allow Samba not to store the NT Hash

Allows Samba to be deployed at sites that will not, eg due to FIPS and similar security requirements, store an unsalted hash.

• based on 'ntlm auth = disabled' consistent with behaviour of lanman auth = no historically.

• Builds on !2410 (closed) which was harder than it should have been, and took most of the time :-(

• No password history, other than the previous password and previous previous, is stored, as that data structure uses the NT hash itself, so unsafe.

• Tests for password change and similar tests run in not ad_dc_no_ntlm environment to test.

• Plaintext password from a simple bind handled by comparison to the AES256 key.

Checklist

• Commits have Signed-off-by: with name/author being identical to the commit author
• (optional) This MR is just one part towards a larger feature.
• (optional, if backport required) Bugzilla bug filed and BUG: tag added
• Test suite updated with functionality tests
• Test suite updated with negative tests
• Documentation updated
• CI timeout is 3h or higher (see Settings/CICD/General pipelines/ Timeout)

Reviewer's checklist:

• There is a test suite reasonably covering new functionality or modifications
• Function naming, parameters, return values, types, etc., are consistent and according to README.Coding.md
• This feature/change has adequate documentation added
• No obvious mistakes in the code