Do I need pkinit for FreeIPA replicas to work?

I'm setting up FreeIPA servers using the ansible_freeipa collection role: ipa-server. I see there's an option for ipaserver_no_pkinit:. As far as I know it do not really need any pkinit, as I'll only use FreeIPA as a ldap server with replication.

However I'm not sure what's required in other to establish replication/failover between two IPA servers.

If you have explicitly specified to not provide PKINIT, this does not disable PKINIT support. Instead, it means that on IPA servers a PKINIT certificate will be generated using local certmonger's CA and will only be useful for IPA Web UI operations. IPA Web UI (or rather its server side) uses PKINIT internally to support login to Web UI for users with OTP tokens. OTP login over Kerberos requires use of a special wrapping which is typically done with existing Kerberos ticket. PKINIT provides a way to obtain so-called Anonymous PKINIT ticket, just for this purpose. This type of operation is used by the IPA Web UI and to make it working a proper PKINIT setup is needed.

You can read more details at https://www.freeipa.org/page/V4/Kerberos_PKINIT

P.S. A correct and more efficient way to ask FreeIPA questions is to use freeipa-users@ mailing list. This is where most of FreeIPA users are along with developers.