I believe I have mine working know, just a few more tests. It is in fact related to the
nisdomainname. However from what I had read, it says the nisdomainname must match the
hosts domain. Which is what mine was set to. However I am finding that my hostgroups
work in Sudo if I instead set the nisdomainname for the host to match the IPA servers
domain. So for an example, I am running multiple test domains as follows.
test.dev - main IPA domain and Kerberos realm
host1.project1.test.dev
host2.project1.test.dev
host1.project2.test.dev
host2.project2.test.dev
In this setup, the ipa client seems to setup the nisdomain to be
"project1.test.dev" etc. So when I checked it for the recommended settings, I
would say that matched the recommendations. However to get my sudo host groups to work, I
need to set all these hosts to use the nisdomainname of "test.dev". I don't
know if this is well understood to be correct, but since the ipa client install seems to
have done the setup, it feels like this isn't expected. This will however work for
now for me, unless I find some other side affect of setting nisdomainname to the realm
var.