Debian Jessie, Kerberos, Cross-Forest AD authentication and all that pam_regex

Had a need to allow users of forest FOREST-B to authenticate to Linux machines of forest FOREST-A. More of that, needed to grant them sudo access. Google-foo didn't help much as most people just need to authenticate their users inside one forest (which is well-covered already and pretty standard setup anyway). Poking around PAM and Kerberos eventually helped me to complete the task.