diff -up sudo-1.8.6p7/plugins/sudoers/sudo_nss.c.duplicatenssfix sudo-1.8.6p7/plugins/sudoers/sudo_nss.c
--- sudo-1.8.6p7/plugins/sudoers/sudo_nss.c.duplicatenssfix	2014-09-29 15:30:35.243303099 +0200
+++ sudo-1.8.6p7/plugins/sudoers/sudo_nss.c	2014-09-29 15:33:13.669439300 +0200
@@ -88,16 +88,16 @@ sudo_read_nss(void)
 	for ((cp = strtok(cp + 8, " \t")); cp != NULL; (cp = strtok(NULL, " \t"))) {
 	    if (strcasecmp(cp, "files") == 0 && !saw_files) {
 		tq_append(&snl, &sudo_nss_file);
-		got_match = true;
+		got_match = saw_files = true;
 #ifdef HAVE_LDAP
 	    } else if (strcasecmp(cp, "ldap") == 0 && !saw_ldap) {
 		tq_append(&snl, &sudo_nss_ldap);
-		got_match = true;
+		got_match = saw_ldap = true;
 #endif
 #ifdef HAVE_SSSD
 	    } else if (strcasecmp(cp, "sss") == 0 && !saw_sss) {
 		tq_append(&snl, &sudo_nss_sss);
-		got_match = true;
+		got_match = saw_sss = true;
 #endif
 	    } else if (strcasecmp(cp, "[NOTFOUND=return]") == 0 && got_match) {
 		/* NOTFOUND affects the most recent entry */
@@ -171,20 +171,20 @@ sudo_read_nss(void)
 	    if (!saw_files && strncasecmp(cp, "files", 5) == 0 &&
 		(isspace((unsigned char)cp[5]) || cp[5] == '\0')) {
 		tq_append(&snl, &sudo_nss_file);
-		got_match = true;
+		got_match = saw_files = true;
 		ep = &cp[5];
 #ifdef HAVE_LDAP
 	    } else if (!saw_ldap && strncasecmp(cp, "ldap", 4) == 0 &&
 		(isspace((unsigned char)cp[4]) || cp[4] == '\0')) {
 		tq_append(&snl, &sudo_nss_ldap);
-		got_match = true;
+		got_match = saw_ldap = true;
 		ep = &cp[4];
 #endif
 #ifdef HAVE_SSSD
 	    } else if (!saw_sss && strncasecmp(cp, "sss", 3) == 0 &&
 		(isspace((unsigned char)cp[3]) || cp[3] == '\0')) {
 		tq_append(&snl, &sudo_nss_sss);
-		got_match = true;
+		got_match = saw_sss = true;
 		ep = &cp[3];
 #endif
 	    } else {