is used to add sudo rules which should only apply to a specific host
or
hostgroup. This information is evaluated on the client by SSSD on only
sudo rules which apply to the client are downloaded and made available
to sudo.
Although I added the rule through the IPA gui, I believe I was doing what you are
describing here. I added the sudo rule and limited it to a host group. However with a
host group added, the rule never evaluated to true. It does if individual hosts from the
host group are added, but not the group.
I only checked the netgroup settings, however I am not intentionally "using
netgroups" I just ran the above checks on the client to see if the previously
mentioned nisdomainname was set, which seems on a standard install it was all set
already.
For debugging I would add 'debug_level = 9' to the
[domain/...] and
[sudo] section and check in the domain log if the rule you are
interested in is downloaded and stored in the cache.
I will check and see if I can verify the rules are downloaded again. I believe previously
I did in fact see the rules listed in the debug, however I would need to double check. As
I understand it, if they are not downloaded, and I am not "trying" to use
netgroups, I wouldn't know how else to add a host group and have it apply. If they
ARE downloaded, and it doesn't believe it matches, I guess the error is possibly on
the client side matching, but again not sure how my client settings (default install)
affect it matching the host group in sudo rules.