User's Remote shell (SSH) access

I’d rather call “ldbmodify” inside nsdc, like we do with other “samba-tool” invocations. I don’t like the “Accounts operator” group membership of the machine account. It is required during upgrade/migration, but could be replaced by “ldbmodify” calls…

An upstream patch to samba-tool is welcome though…