When we check for password reuse, only compare keys with the most
recent kvno against history entries, or else we will always fail with
This bug primarily affects rollover of cross-realm TGT principals,
which typically use password-derived keys and may have an associated
password policy such as "default".
Bug report and candidate fix (taken with a slight modification) by
Commit By: ghudson