IPA sudo not working with hostgroups

Diagnostic Steps

a. Check which configuration file sudo uses (version dependent) by running the following command as root:

# sudo -V | grep "^ldap.conf"

The output will show something similar to:
ldap.conf path: /etc/sudo-ldap.conf

b. Enable sudo debug to the conf file found in step a:

echo "sudoers_debug 2" >> /etc/sudo-ldap.conf

c. Test the sudo command as the relevant user that you have set-up in IPA. With debugging enabled, and /etc/nsswitch.conf configured so sudo directly access via LDAP (sudoers: files ldap), you should get output similar to:

LDAP Config Summary
===================
uri              ldap://ipaserver.example.com
ldap_version     3
sudoers_base     ou=SUDOers,dc=example,dc=com
binddn           uid=sudo,cn=sysaccounts,cn=etc,dc=example,dc=com
bindpw           sudo_password
bind_timelimit   5000000
timelimit        15
ssl              start_tls
tls_checkpeer    (no)
tls_cacertfile   /etc/ipa/ca.crt
===================
sudo: ldap_initialize(ld, ldap://ipaserver.example.com)
sudo: ldap_set_option: debug -> 0
sudo: ldap_set_option: ldap_version -> 3
sudo: ldap_set_option: tls_checkpeer -> 0
sudo: ldap_set_option: tls_cacertfile -> /etc/ipa/ca.crt
sudo: ldap_set_option: timelimit -> 15
sudo: ldap_set_option(LDAP_OPT_NETWORK_TIMEOUT, 5000)

sudo: ldap_start_tls_s() ok
sudo: ldap_sasl_bind_s() ok
sudo: no default options found!
sudo: ldap search '(|(sudoUser=sudotest)(sudoUser=%sudotest)(sudoUser=%ipausers)(sudoUser=%sudo-group)(sudoUser=ALL))'
sudo: found:cn=sudo-test,ou=sudoers,dc=example,dc=com
sudo: ldap sudoHost '+test-hg1' ... not
sudo: ldap search 'sudoUser=+*'
sudo: user_matches=1
sudo: host_matches=0
sudo: sudo_ldap_lookup(0)=0x40
[sudo] password for sudotest: 
sudotest is not allowed to run sudo on ipaserver.  This incident will be reported.

d. Confirm that nisdomainname is set:

# nisdomainname

e. Check that nsswitch.conf is configured to use sss to retrieve netgroup information:

netgroup:   files sss

f. Check that netgroup information can be retrieved:

# getent netgroup test-hg1

g. Because netgroup information is provided by sss, we can check /var/log/sssd/sssd_ejemplo.com.log to see which value is being used for ldap_netgroup_search_base, in a standard configuration it should show that no value is set and then a default value is set using ipa_get_id_options:

sssd_example.com.log:(Fri Nov 28 12:48:00 2014) [sssd[be[example.com]]] [dp_get_options] (0x0400): Option ldap_netgroup_search_base has no value 
sssd_example.com.log:(Fri Nov 28 12:48:00 2014) [sssd[be[example.com]]] [ipa_get_id_options] (0x0400): Option ldap_netgroup_search_base set to cn=ng,cn=alt,dc=example,dc=com
sssd_example.com.log:(Fri Nov 28 12:48:00 2014) [sssd[be[example.com]]] [dp_get_options] (0x0400): Option ldap_netgroup_search_base has no value 

But if the parameter is set, the output would be similar to:

sssd_example.com.log:(Fri Nov 28 10:40:05 2014) [sssd[be[example.com]]] [dp_get_options] (0x0400): Option ldap_netgroup_search_base has value cn=ng,cn=compat,dc=example,dc=com
sssd_example.com.log:(Fri Nov 28 10:40:05 2014) [sssd[be[ejemplo.com]]] [dp_get_options] (0x0400): Option ldap_netgroup_search_base has value cn=ng,cn=compat,dc=example,dc=com

Additionally for testing hostgroup rules you should add a shorter time-out period for sssd on the client by editing /etc/sssd/sssd.conf and adding the following line in the [domain/yourdomain.com] section:

entry_cache_netgroup_timeout = 10

Without this when you add or remove hosts to the hostgroup the change will not be picked up until the timeout limit is reached which by default is 90 minutes.

Alternately you can also clear the cache:

# service sssd stop ; sss_cache -UNG ; service sssd start