mod_auth_kerb is Kerberos-specific: it implements Kerberos authentication via HTTP Negotiate. In the REMOTE_USER environment variable, it therefore reports the Kerberos identification ("principal name") of the authenticated client. Kerberos principal names are written foo/bar/baz/...@REALM; the leading components are called "instances" (one most often sees only one or two), and the "realm" is a trust domain within the Kerberos system, a built-in federation mechanism. In AD, the Kerberos realm is the same as the AD "domain" name, in upper case.
mod_auth_kerb (a new enough version) has a feature called KrbLocalUserMapping. This calls the Kerberos library function krb5_aname_to_localname() to translate a principal name to a "local name;" that is, something meaningful on the local host. What this function does depends on the Kerberos implementation. In MIT Kerberos, you can customize the mapping with "auth_to_local" rules in krb5.conf. The default rule just translates foo@[default realm] -> foo, which is sufficient in simple situations in which there's a single realm and your usernames are the same as your Kerberos principal names. However, you might want more complex rules. For example, we have a convention whereby Windows administrators have a "user-admin" account with domain administrator rights, in addition to their "user" accounts. When logged into their "admin" accounts, they would get rejected when going to authenticated web services running on Unix, since "user-admin" was not recognized. We just added a mapping so that user-admin@REALM gets mapped to "user" just as user@REALM does, and this was immediately fixed transparently for all web apps. The other nice thing about doing it this way is that it works for any kerberized service which uses krb5_aname_to_localname(), as opposed to doing it with mod_map_user which would only apply to Apache.
Some people suggested just blanket mapping all user@REALM names to "user", regardless of the realm (this is what the suggested mod_map_user solution would do). Note that this is a potential security problem: if you have multiple Kerberos realms connected by cross-realm trust, then the realm portion becomes meaningful; it is part of the user identification. If you just strip it, that means an administrator in another realm can impersonate a local user to Apache just by creating an account with the same name.