[Freeipa-users] FreeIPA SUDO rules fail with hostgroups

I have recently found out that when adding SUDO rules to my IPA server, the host groups are not evaluated correctly. I am using the same host groups in my HBAC and they are working correctly. If I remove the host groups from the SUDO rule, and instead directly put the server in as an individual host, the SUDO rule works correctly. If simply set it to allow "all" hosts, while leaving the rest of the SUDO rule the same, it also works. Running a sudo command with the host groups provides the error: "test1 is not allowed to run sudo on srv1. This incident will be reported." I have turned on some debugging for SSSD and SUDO but it is extremely verbose, and after realizing the same host groups work with HBAC, I am skeptical this is an issue with my configuration. Anyone have some troubleshooting or work arounds? Is there perhaps a known bug I didn't find about this? As much as I hate it, my "right now" work around is to just allow it on all hosts, and rely on my HBAC to determine what groups can log into what hosts. However this isn't a true fix, just a stop gap while I look into this. IPA Client versions: ipa --version VERSION: 4.6.8, API_VERSION: 2.237 IPA Server version: ipa --version VERSION: 4.6.8, API_VERSION: 2.237