Description of problem:

When host groups are used with sudorules in IPA - any update is not picked up
by sssd until sssd is restarted and the sssd cache cleared on the client. user
groups update immediately.

This poses a potential security risk as if you remove hosts from the hostgroup
sssd on the clients still allows them to run the sudo commands.

Note that host groups for hbac rules works as expected i.e. update immediately.

Version-Release number of selected component (if applicable):

1. RHEL 6.0, sssd v 1.5.1-66.el6_2.3 & ipa-server-2.1.3-9.el6.x86_64 (same
version of client)
2. RHEL6.0, sssd v 1.8.0-32.el6.x86_64 & ipa-server-2.1.3-9.el6.x86_64 (same
version of client)
3. RHEL 6.3 sssd v 1.8.0-32.el6.x86_64 & ipa-server-2.2.0-16.el6.x86_64 (same
version of client)

How reproducible:

To make the steps clearer I will use an example where:

hg_test is the hostgroup defined in IPA
client.example.com is the client on which the sudo command will be executed
test_user - is the test user

Steps to Reproduce:
1. Set-up sudorule with "Access this host" set to hostgroup hg_test with
client.example.com in the hostgroup hg_test & all other setting set to all. Set
sudoers-debug 2 in sudo-ldap.conf (or whichever file sudo -V | grep ^ldap.conf
specifies to help debugging).
2. Check that test_user on client.example.com can execute the sudo command
successfully
3. Remove client.example.com from the hostgroup hg_test
4. Log out and in again as the test_user and attempt a sudo command again

Actual results:

Even after the host client.example.com has been removed from the hostgroup
hg_test the users on this server can still execute sudo commands even though
they should not be able to.

This can only be remedied by restarting sssd and clearing the cache i.e.:

service sssd stop ; rm -f /var/lib/sss/db/* ; service sssd start

Expected results:

Updates to the hosts in the hostgroup should be picked up immediately by sssd

Additional info:

Config files:

sudo-ldap.conf:

uri             ldap://ipaserver.example.com
ldap_version    3
sudoers_base    ou=SUDOers,dc=example,dc=com
binddn          uid=sudo,cn=sysaccounts,cn=etc,dc=example,dc=com
bindpw          *****
bind_timelimit  5000
timelimit       15
ssl             start_tls
#tls_checkpeer  (yes)
tls_checkpeer   no
tls_cacertfile  /etc/ipa/ca.crt
sudoers_debug   2

sssd.conf

[sssd]
config_file_version = 2
services = nss, pam

domains = example.com
[nss]

[pam]

[domain/example.com]
cache_credentials = True
krb5_store_password_if_offline = True
ipa_domain = example.com
id_provider = ipa
auth_provider = ipa
access_provider = ipa
ipa_hostname = ipaserver.example.com
chpass_provider = ipa
ipa_server = ipaserver.example.com
ldap_tls_cacert = /etc/ipa/ca.crt
enumerate = True
debug_level = 9
entry_cache_netgroup_timeout =  60 # set low to see if this would update the
hostgroups after 60 seconds.