[krbdev.mit.edu #7384] kdb5_util dump race can leave policy refcounts incorrect

[Nico Williams via RT]

kdb5_util does not lock the KDB across both record iteration
operations that it does (principals and policies) unless the dump
format requested is an iprop dump format.  I don't understand why the
utility locks the whole KDB in the iprop case but not in the non-iprop
cases.  A change to any principal's policy assignment that sneaks in
between the iteration of principals and the iteration of policies,
will result in the dump having incorrect policy refcounts.  If such a
dump is propagated to a slave that then gets promoted to master then
the incorrect policy refcount will matter.