Although, only kadm5 consumers on master KDCs should all log to the ulog.

There's no nice programmatic distinction between master and slave.
The distinction lies in what services they run.  (And if we ever get
read-only kadmind then the distinction will lie in what services they
run and how they are configured.)  Today,  running kadmin.local on a
slave will screw up iprop, likely resulting in a full resync (which
will clobber the local change).

This is a bit of a mess.

A simple fix would be to have kpropd mark a ulog as being
"slave-side", then iprop can simply not log any local changes to the
ulog (or, perhaps, log them, but not change the ulog header).  An
alternative would be to have two ulogs: one for slave-side operations,
one for master-side operations, with one being named by suffixing the
other, say.