Add "schema" update/check script for software upgrades

[macrotex]

Many applications supply a "schema upgrade" script that is used then the application is updated. Typically, this makes any needed changes to the backend database schema or database elements that the new version of the application needs.

In the case of Heimdal, while the schema itself rarely changes, there have been times when new system principals need to be added, for example, WELLKNOWN/ANONYMOUS and WELLKNOWN/org.h5l.fast-cookie@WELLKNOWN:ORG.H5L. The upgrade script would, if these principals are missing, add them.

At the very least, a script that reports potential problems would be helpful (e.g., "Hey: you are missing the principal WELLKNOWN/ANONYMOUS!").

[nicowilliams]

Perhaps we should make kadm5_s_init_with_password_ctx() do all upgrade work. That way just starting kadmind or @elric1's krb5_admind, or even kadmin -l should upgrade.

On the other hand, having kadmin -l do this every time might be annoying. And kadmind calls that function on every connection.

So maybe we should just have an explicit kadmin -l upgrade.