So yes I saw krb5_map_user, problem is we have hundreds of these users and that list grows
and shrinks dynamically as people come and go. I could do some really terrible hack to
pull the data from wherever and stick it into krb5_map_user but that's just awful.
Ultimately regex support here would solve everything.
I can't fully answer your second question yet, I am digging into it and I don't
know this area of auth well enough. It appears for the moment that user/sudo is NOT a
separate object. I know we don't have any other kerb other than the AD so perhaps we
are injecting principles directly into the krb database in AD, which I realize is just
backed into LDAP etc. etc.
I'll pass along more info when I have it.