Using GSSAPI/Kerbros/Active Directory: want the database user name to be the full name including the realm name without specifying the user

Good afternoon,

We can successfully connect via GSSAPI/Kerberos using our Active Directory credentials when we map the domain user to a database user that matches the name when the domain information is removed.

When we have a user called mich****
C:\Users\mich2581>"c:\Program Files\PostgreSQL\14\bin"\psql -h dev00*****.esri.com snoopynet**1
Pg_hba:
host all all 0.0.0.0/0 gss include_realm=1 map=map
Pg_ident:
# MAPNAME SYSTEM-USERNAME PG-USERNAME
map /^(.*)@ESRI\.COM$ \1
map /^(.*)@esri\.com$ \1

If we create a database role called mich9999(at)ESRI(dot)COM<mailto:mich9999(at)ESRI(dot)COM>, if we run psql or other clients without providing a name with the command, we fail like this:

2023-03-09 16:58:51.732 PST [3654539] LOG: provided user name (mich****) and authenticated user name (mich****(at)ESRI(dot)COM) do not match
2023-03-09 16:58:51.732 PST [3654539] FATAL: GSSAPI authentication failed for user "mich2581"

If we specify the full name with domain at the command line, it will connect as the role with the full name with domain name. We test that without the mapping set above.

From what we can ascertain, this appears to be default behavior. The thing is, many notes on setting this up on the interweb have examples creating the database user with the full name including domain.

Is it possible to do that? We are not certain where the domain name is being stripped off.

Thanks,
Michael