Here is my updated krb5-1.11 branch, with the patches in order:

https://github.com/rbasch/krb5/commit/affc746f296869d25c49ee2eabc843c60470ac
df
https://github.com/rbasch/krb5/commit/f6237998bf7b20ea898d8b1ac2b30255caad89
d8
https://github.com/rbasch/krb5/commit/906d18fe56849ee59a114c31e5242a749166bc
f5
https://github.com/rbasch/krb5/commit/9a788de948a73557defd3f520fba7983944f6e
f6

I basically save the iproplog state temporarily so I know I should update
the ulog later.

There are basically two fixes:
1. Update the ulog only after the new db is promoted
2. When using conditional dumps, make sure the dump header is present in the
ulog (the original "guessing" led to too many cases where the old dump was
assumed to be ok when it did not match against any ulog entries).

My patches above include a fix to lib/kdb to also suppress ulog locking when
not in master mode for krb5_db_put_principal, but it might not be required
based on the last patch (the main file which needs to be patched is
kadmin/dbutil/dump.c). If ulog_lock is a no-op when iproprole = IPROP_NULL,
then this can be omitted, otherwise, it is required; I set iproprole =
IPROP_NULL just prior to restore_dump().