Cloned from: https://pagure.io/freeipa/issue/8628

### Issue
`kadmin`'s `change_password` command with` -keepold` option doesn't work in FreeIPA. It adds new keys but increments the old keys' kvno as well. I know FreeIPA doesn't support `kadmin` interface and there is a way to change key for most principals but I believe it should be possible to change key for `krbtgt` principal too, without breaking existing TGTs (it is possible in MIT Kerberos according to [documentation](https://web.mit.edu/kerberos/krb5-latest/doc/admin/database.html#changing-krbtgt-key).) Of course, `purgekeys` command should work as well, or there should be another method for purging keys with older kvnos.

#### Steps to Reproduce
1. Run `kadmin.local -q 'change_password -randkey -keepold krbtgt/REALM'` on FreeIPA server

#### Actual behavior
    # kadmin.local -q 'get_principal krbtgt/REALM'
    [...]
    Key: vno 2, aes256-cts-hmac-sha1-96
    Key: vno 2, aes128-cts-hmac-sha1-96
    Key: vno 2, des3-cbc-sha1
    Key: vno 2, arcfour-hmac
    Key: vno 2, camellia128-cts-cmac
    Key: vno 2, camellia256-cts-cmac
    Key: vno 2, aes256-cts-hmac-sha1-96
    Key: vno 2, aes128-cts-hmac-sha1-96

#### Expected behavior
    # kadmin.local -q 'get_principal krbtgt/REALM'
    [...]
    Key: vno 1, aes256-cts-hmac-sha1-96
    Key: vno 1, aes128-cts-hmac-sha1-96
    Key: vno 2, des3-cbc-sha1
    Key: vno 2, arcfour-hmac
    Key: vno 2, camellia128-cts-cmac
    Key: vno 2, camellia256-cts-cmac
    Key: vno 2, aes256-cts-hmac-sha1-96
    Key: vno 2, aes128-cts-hmac-sha1-96

#### Version/Release/Distribution
    # rpm -q freeipa-server freeipa-client ipa-server ipa-client 389-ds-base pki-ca krb5-server
    package freeipa-server is not installed
    package freeipa-client is not installed
    ipa-server-4.6.8-5.el7.centos.x86_64
    ipa-client-4.6.8-5.el7.centos.x86_64
    389-ds-base-1.3.10.2-7.1.el7_9.x86_64
    pki-ca-10.5.18-7.el7.noarch
    krb5-server-1.15.1-50.el7.x86_64