Add roles/ad_integration

[markuslf]

Summary

New ad_integration role: a thin wrapper around the upstream fedora.linux_system_roles.ad_integration role, analogous to the existing network and kernel_settings wrappers. It joins a host to an Active Directory domain (realm join + SSSD configuration) so AD users can log in and AD groups can be used for access control and sudo.

Motivated by the manual realm join / sssd.conf steps still documented in several */rst/03-infra.rst customer docs (e.g. projects 163, 178, 223). FreeIPA remains the Linuxfabrik standard (freeipa_client); this covers the AD-join exceptions.

Design

• Exposes the upstream join knobs via the standard LFOps combined-variable cascade (__role_var / __dependent_var / __group_var / __host_var / __combined_var).
• Credentials grouped in a single ad_integration__login dict (username / password), Bitwarden-lookup friendly. No default secrets.
• SSSD settings as lists of dicts merged with combine_lod(unique_key="key").
• KISS: the upstream manage_timesync, manage_crypto_policies and manage_dns sub-features are intentionally NOT exposed. Time sync, DNS and crypto policy stay with the dedicated LFOps roles (chrony, network, crypto_policy). Documented in the README.

Deliverables (per CONTRIBUTING)

• roles/ad_integration/ (defaults, meta/argument_specs.yml, tasks, README.md)
• playbooks/ad_integration.yml
• Updated playbooks/all.yml, playbooks/README.md, COMPATIBILITY.md, CHANGELOG.md

Validation

• yamllint clean.
• argument_specs rejects missing mandatory __realm / __login; passes when provided.
• End-to-end (check mode): credential assert passes, debug output correct, host-level override applied (client_software=winbind), handoff to the upstream role works, timesync/crypto/DNS correctly not triggered.
• COMPATIBILITY.md marks all platforms (x) (theoretically usable, untested) since the role was not tested against a live AD. Raise to x once it runs in a real project.