GSSAPI is the authentication mechanism of choice, and it's working fine.
Here is what I'm trying to accomplish.
'user1' == 'user1' and 'user1@A.DOMAIN.TLD' == 'user1'.
From reading the docs, this is done via the pg_ident.conf file, and from reading the logs, there is a problem with my map.
Hmm... Interesting thought. *testing* It sort of works. Setting the maps below maps the users straight across. 'user1' == 'user1' and 'user1@A.DOMAIN.TLD' == 'user1@A.DOMAIN.TLD', so it's partially working.
But since your pg_hba has include_realm=1, I don't know how you are getting the realmless "system user" names in the first place, so the last line really shouldn't be necessary.