Partial success!
IT IS a Kerberos issue.
I cleared up an DNS issue that was compounding the problems, and used kinit to test a connection. ( I should note that I have been running 2 OD Masters in order to achieve functionality while I've been testing this. In the following: Master reffers to my previously named replica2 and replica will refer to replica1. The setup is the Master is running critical services and cannot be altered extensively, and the replica is being used to test replication functionality from a machine that will not replicate properly)
The non-communicating master would not authenticate _ldap_replicator to the KDC. And through testing in terminal I found that the issue was specific to this Master.
at 1847 I authenticated diradmin on the replica by using kinit diradmin
This resulted in authenticating against the KDC realm on the master. MASTER.EXAMPLE.COM
At 1847, the ldap log stops reporting syncrep1 sasl errors and has successfully pulled a test user account from the master, it did not successfully pull over service related information, so the user shows as 'not allowed'.
However, the Master continues to report syncrep errors, meaning that this could be a temporary/fluke fix. Gravy is that I now get this log in the system logs:
Feb 6 19:44:20 master.example.com kdc[47]: AS-REQ _ldap_replicator@MASTER.EXAMPLE.COM from 127.0.0.1:63200 for krbtgt/MASTER.EXAMPLE.COM@MASTER.EXAMPLE.COM
Feb 6 19:44:20 --- last message repeated 1 time ---
Feb 6 19:44:20 master.example.com kdc[47]: Client sent patypes: REQ-ENC-PA-REP
Feb 6 19:44:20 master.example.com kdc[47]: Need to use PA-ENC-TIMESTAMP/PA-PK-AS-REQ
Feb 6 19:44:20 master.example.com kdc[47]: AS-REQ _ldap_replicator@MASTER.EXAMPLE.COM from 127.0.0.1:57243 for krbtgt/MASTER.EXAMPLE.COM@MASTER.EXAMPLE.COM
Feb 6 19:44:20 --- last message repeated 1 time ---
Feb 6 19:44:20 master.example.com kdc[47]: Client sent patypes: REQ-ENC-PA-REP
Feb 6 19:44:20 master.example.com kdc[47]: Need to use PA-ENC-TIMESTAMP/PA-PK-AS-REQ
Feb 6 19:44:20 master.example.com kdc[47]: AS-REQ _ldap_replicator@MASTER.EXAMPLE.COM from 127.0.0.1:61874 for krbtgt/MASTER.EXAMPLE.COM@MASTER.EXAMPLE.COM
Feb 6 19:44:20 --- last message repeated 1 time ---
Feb 6 19:44:20 master.example.com kdc[47]: Client sent patypes: ENC-TS, REQ-ENC-PA-REP
Feb 6 19:44:20 master.example.com kdc[47]: ENC-TS pre-authentication succeeded -- _ldap_replicator@MASTER.EXAMPLE.COM
Feb 6 19:44:20 master.example.com kdc[47]: Client supported enctypes: aes256-cts-hmac-sha1-96, aes128-cts-hmac-sha1-96, des3-cbc-sha1, arcfour-hmac-md5, using aes256-cts-hmac-sha1-96/aes256-cts-hmac-sha1-96
Feb 6 19:44:20 master.example.com kdc[47]: Requested flags: forwardable
Feb 6 19:44:20 master.example.com kdc[47]: AS-REQ _ldap_replicator@MASTER.EXAMPLE.COM from 127.0.0.1:61473 for krbtgt/MASTER.EXAMPLE.COM@MASTER.EXAMPLE.COM
Feb 6 19:44:20 --- last message repeated 1 time ---
Feb 6 19:44:20 master.example.com kdc[47]: Client sent patypes: ENC-TS, REQ-ENC-PA-REP
Feb 6 19:44:20 master.example.com kdc[47]: ENC-TS pre-authentication succeeded -- _ldap_replicator@MASTER.EXAMPLE.COM
Feb 6 19:44:20 master.example.com kdc[47]: Client supported enctypes: aes256-cts-hmac-sha1-96, aes128-cts-hmac-sha1-96, des3-cbc-sha1, arcfour-hmac-md5, using aes256-cts-hmac-sha1-96/aes256-cts-hmac-sha1-96
Feb 6 19:44:20 master.example.com kdc[47]: Requested flags: forwardable
Take that ML server!
I will let you know if the errors return in the morning after the kerberos ticket for diradmin expires.
Also. Anyone have any thoughts on why I continue to see authentication for some users, particularly those using DIGEST-MD5 and the _ldap_replicator authenticating four times every time they authenticate against the KDC?