I've run in to a strange problem in my lab environment where I'm testing IdM.

Some of this data is provided only as comparison.

Lab setup:

"gateway" - RHEL6, IdM Client
Xen4CentOS (CentOS6 w/ xen kernel and tools) HVM - "chassis01-xen"
vms:
"auth" - CentOS6 w/ Identity Management Server, NFS source for home directory automount
"config" - CentOS6, IdM Client
"webdev1" - RHEL7, IdM Client
"webdev2" - RHEL7, IdM Client

Problem:
On all the RHEL6/CentOS6 machines, authentication and pam_sss perform as expected; there are no problems connecting via SSH as an IdM user. The home directories automount as expected, and the users with sudo privileges are able to escalate as expected. On the RHEL7 systems, the IdM users are able to log in and the home directories automount HOWEVER when a user with sudo access attempts to perform, I get the unexpected response " is not in the sudoers file. This incident will be reported."

error in /var/log/secure:
Feb 11 10:59:57 webdev2 sudo: pam_sss(sudo:auth): authentication success; logname=stephen uid=997400003 euid=0 tty=/dev/pts/0 ruser=stephen rhost= user=stephen
Feb 11 10:59:57 webdev2 sudo: stephen : user NOT in sudoers ; TTY=pts/0 ; PWD=/home/stephen ; USER=root ; COMMAND=/bin/su -

expected:
Feb 11 11:09:19 auth sudo: pam_sss(sudo:auth): authentication success; logname=stephen uid=997400003 euid=0 tty=/dev/pts/0 ruser=stephen rhost= user=stephen
Feb 11 11:09:19 auth sudo: stephen : TTY=pts/0 ; PWD=/home/stephen ; USER=root ; COMMAND=/bin/su -

This ONLY happens on the RHEL7 systems.
For reference on the "6" systems:
Name : ipa-client
Arch : x86_64
Version : 3.0.0
Release : 42.el6.centos

on the "7" systems:
Name : ipa-client
Arch : x86_64
Version : 3.3.3
Release : 28.el7_0.3

I'm looking for any insight - and especially easy corrections (of course) - to ensure this works. This is a bit of a stumbling block to our final IdM implementation.