Cloned from: https://pagure.io/freeipa/issue/8628
### Issue
`kadmin`'s `change_password` command with` -keepold` option doesn't work in FreeIPA. It adds new keys but increments the old keys' kvno as well. I know FreeIPA doesn't support `kadmin` interface and there is a way to change key for most principals but I believe it should be possible to change key for `krbtgt` principal too, without breaking existing TGTs (it is possible in MIT Kerberos according to [documentation](https://web.mit.edu/kerberos/krb5-latest/doc/admin/database.html#changing-krbtgt-key).) Of course, `purgekeys` command should work as well, or there should be another method for purging keys with older kvnos.
#### Steps to Reproduce
1. Run `kadmin.local -q 'change_password -randkey -keepold krbtgt/REALM'` on FreeIPA server
#### Actual behavior
# kadmin.local -q 'get_principal krbtgt/REALM'
[...]
Key: vno 2, aes256-cts-hmac-sha1-96
Key: vno 2, aes128-cts-hmac-sha1-96
Key: vno 2, des3-cbc-sha1
Key: vno 2, arcfour-hmac
Key: vno 2, camellia128-cts-cmac
Key: vno 2, camellia256-cts-cmac
Key: vno 2, aes256-cts-hmac-sha1-96
Key: vno 2, aes128-cts-hmac-sha1-96
#### Expected behavior
# kadmin.local -q 'get_principal krbtgt/REALM'
[...]
Key: vno 1, aes256-cts-hmac-sha1-96
Key: vno 1, aes128-cts-hmac-sha1-96
Key: vno 2, des3-cbc-sha1
Key: vno 2, arcfour-hmac
Key: vno 2, camellia128-cts-cmac
Key: vno 2, camellia256-cts-cmac
Key: vno 2, aes256-cts-hmac-sha1-96
Key: vno 2, aes128-cts-hmac-sha1-96
#### Version/Release/Distribution
# rpm -q freeipa-server freeipa-client ipa-server ipa-client 389-ds-base pki-ca krb5-server
package freeipa-server is not installed
package freeipa-client is not installed
ipa-server-4.6.8-5.el7.centos.x86_64
ipa-client-4.6.8-5.el7.centos.x86_64
389-ds-base-1.3.10.2-7.1.el7_9.x86_64
pki-ca-10.5.18-7.el7.noarch
krb5-server-1.15.1-50.el7.x86_64
- duplicates
-
RHEL-49440 Pagure #9370: kdb: support storing and retrieving multiple master keys [rhel-10]
-
- In Progress
-