I have noticed that passwords being changed via kpasswd (kpasswdd) in
1.6 keep old passwords in the database unconditionally.
Codewise it can be tracked down to this line in kpasswdd.c:
ret = kadm5_s_chpass_principal_cond (kadm5_handle, principal, 1, tmp);
The third argument (1) is the "keepold" flag, so it is clear there is no
way to manage this behaviour from the configuration.
Is there a reason this was done? I know --keepold support was added in
1.6, but making that the default for normal users seems a bit excessive
since this creates an ever increasing backlog of old keys.
I know of no way to clean up old keys short of setting a new password
via kadmin where the --keepold flag is optional, and this is not really
doable for normal users.