I tried setting this up today, but no luck. I wasted hours and hours on this. The TLS connection between auth01 and auth02 comes up now, but there is no Kerberos authentication happening between the two hosts. I do not have any further debug information apart from a SASL error message and that is it.
https://wiki.ipfire.org/devel/telco/2020-12-07 This seems to cause _major_ infrastructure hiccups any time Debian ships an LDAP update requiring a reboot afterwards.
I consider this being solved now. I set up the second LDAP/Kerberos server which is running on a different hardware host. Most applications will continue using the first server (which won't be a problem with the little load that we have at the moment) and will fall back to the other one in case they need to. Both are writable and replicate all changes to each other.