This was fixed in sudo 1.8.17 (https://www.sudo.ws/repos/sudo/rev/2eab4070dcf7 to be exact), which I'd very much like to see backported to Ubuntu 16.04. If possible, updating sudo completely to 1.8.17 would be nice, since there have been quite a few improvements with regards to sss and freeipa and it would be a shame if we could not benefit from them given that 16.04 is LTS.
Sudo currently fails to validate netgroups against host netgroups returned from the sss plugin, see https:/ /fedorahosted. org/freeipa/ ticket/ 6139 for the glory details.
This was fixed in sudo 1.8.17 (https:/ /www.sudo. ws/repos/ sudo/rev/ 2eab4070dcf7 to be exact), which I'd very much like to see backported to Ubuntu 16.04. If possible, updating sudo completely to 1.8.17 would be nice, since there have been quite a few improvements with regards to sss and freeipa and it would be a shame if we could not benefit from them given that 16.04 is LTS.