Handle capability changes
sssd 2.10.0 introduced a change in how the multiple sssd binaries handle privileges. Details in [1]. The main change involves capabilities and a non-root user.
The change to non-root is a bit bigger to handle here I think, so I only made the necessary capability changes. I used the contrib/sssd.spec.in and Makefile.am files to see what was required.
Before these changes, the autopkgtests for 2.10.1 were failing, and now they are passing again.
In terms of a pattern for setcap usage in postinst maintainer scripts, I noticed that many packages checked for setcap before using it. If it's found, capabilities are used and any SUID bit is dropped. If capabilities cannot be used, then the SUID bit is set (or left alone, if it was there already). I don't think we have this choice in sssd, i.e., we shouldn't add the SUID bit to the helpers which need capabilities.
I made changes to d/changelog in individual commits, so you can drop them if you want, or do them differently.