ipa-pwd-extop: do not remove MagicRegen mod, replace it
    
    In 2012, ldbm backend in 389-ds started checking entry modification
    after running betxnpreop plugins by comparing a number of modifications
    before and after. If that number didn't change, it is considered that
    plugins didn't modify the list.
    
    ipa-pwd-extop actually removed and re-added modification to ipaNTHash if
    it contained 'MagicRegen' value. This did not work since commit
    https://pagure.io/389-ds-base/c/6c17ec56076d34540929acbcf2f3e65534060a43
    but we were lucky nothing in FreeIPA code actually relied on that except
    some code paths in ipasam Samba passdb driver. However, Samba didn't
    reach the point where the code was triggered -- until now.
    
    With support to run Samba as a domain member in IPA domain, that code
    path is triggered for Kerberos service principals of domain members
    (cifs/client.example.test, ...) and NT hash extraction from Kerberos
    keys does not work.
    
    Fix ipa-pwd-extop to follow recommendations in
    https://pagure.io/389-ds-base/issue/387#comment-120145 and
    https://pagure.io/389-ds-base/issue/50369#comment-570696
    
    Fixes: https://pagure.io/freeipa/issue/7953
    Reviewed-By: Christian Heimes <cheimes@redhat.com>