s3:winbindd: fix "allow trusted domains = no" regression

s3:winbindd: fix "allow trusted domains = no" regression

add_trusted_domain() should only reject domains
based on is_allowed_domain(), which now also
checks "allow trusted domains = no", if we don't
have an explicit trust to the domain (SEC_CHAN_NULL).

We use at least SEC_CHAN_LOCAL for local domains like
BUILTIN.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14899

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Autobuild-User(master): Stefan Metzmacher <metze@samba.org>
Autobuild-Date(master): Wed Nov 10 11:21:31 UTC 2021 on sn-devel-184

(cherry picked from commit a7f6c60cb037b4bc9eee276236539b8282213935)

Autobuild-User(v4-15-test): Stefan Metzmacher <metze@samba.org>
Autobuild-Date(v4-15-test): Wed Nov 10 23:29:45 UTC 2021 on sn-devel-184