Currently, if a master has never been a leader from the very start of the cluster, it has just self-signed cert. And if a client does not have valid Kerberos credential but only authenticated token, then the client may see org.apache.kudu.client.NonRecoverableException: Server requires Kerberos, but this client is not authenticated error when trying to connect to master followers. Since in that case SASL authentication type is chosen instead of token for authentication.
It is safe to ignore this error, as long as client is able to connect to master leader. However, for a long term fix, masters should probably attempt to get a signed cert from the leader.