diff -up sudo-1.8.6p3/plugins/sudoers/sssd.c.sssdfixes sudo-1.8.6p3/plugins/sudoers/sssd.c
--- sudo-1.8.6p3/plugins/sudoers/sssd.c.sssdfixes	2013-08-13 15:20:39.558187669 +0200
+++ sudo-1.8.6p3/plugins/sudoers/sssd.c	2013-08-13 16:24:27.209064162 +0200
@@ -534,30 +534,31 @@ sudo_sss_check_runas_group(struct sudo_s
  * Walk through search results and return true if we have a runas match,
  * else false.  RunAs info is optional.
  */
-static int
+static bool
 sudo_sss_check_runas(struct sudo_sss_handle *handle, struct sss_sudo_rule *rule)
 {
-    int ret;
+    bool ret;
     debug_decl(sudo_sss_check_runas, SUDO_DEBUG_SSSD);
 
     if (rule == NULL)
-	 debug_return_int(false);
+	 debug_return_bool(false);
 
     ret = sudo_sss_check_runas_user(handle, rule) != false &&
 	 sudo_sss_check_runas_group(handle, rule) != false;
 
-    debug_return_int(ret);
+    debug_return_bool(ret);
 }
 
-static int
+static bool
 sudo_sss_check_host(struct sudo_sss_handle *handle, struct sss_sudo_rule *rule)
 {
     char **val_array, *val;
-    int ret = false, i;
+    bool ret = false;
+    int i;
     debug_decl(sudo_sss_check_host, SUDO_DEBUG_SSSD);
 
     if (rule == NULL)
-	debug_return_int(ret);
+	debug_return_bool(ret);
 
     /* get the values from the rule */
     switch (handle->fn_get_values(rule, "sudoHost", &val_array))
@@ -566,10 +567,10 @@ sudo_sss_check_host(struct sudo_sss_hand
 	break;
     case ENOENT:
 	sudo_debug_printf(SUDO_DEBUG_INFO, "No result.");
-	debug_return_int(false);
+	debug_return_bool(false);
     default:
 	sudo_debug_printf(SUDO_DEBUG_INFO, "handle->fn_get_values(sudoHost): != 0");
-	debug_return_int(ret);
+	debug_return_bool(ret);
     }
 
     /* walk through values */
@@ -589,7 +590,52 @@ sudo_sss_check_host(struct sudo_sss_hand
 
     handle->fn_free_values(val_array);
 
-    debug_return_int(ret);
+    debug_return_bool(ret);
+}
+
+/*
+ * Look for netgroup specifcations in the sudoUser attribute and
+ * if found, filter according to netgroup membership.
+ *  returns:
+ *   true -> netgroup spec found && negroup member
+ *  false -> netgroup spec found && not a meber of netgroup
+ *   true -> netgroup spec not found (filtered by SSSD already, netgroups are an exception)
+ */
+bool sudo_sss_filter_user_netgroup(struct sudo_sss_handle *handle, struct sss_sudo_rule *rule)
+{
+	bool ret = false, netgroup_spec_found = false;
+	char **val_array, *val;
+	int i;
+	debug_decl(sudo_sss_check_user_netgroup, SUDO_DEBUG_SSSD);
+
+	if (!handle || !rule)
+		debug_return_bool(ret);
+
+	switch (handle->fn_get_values(rule, "sudoUser", &val_array)) {
+		case 0:
+			break;
+		case ENOENT:
+			sudo_debug_printf(SUDO_DEBUG_INFO, "No result.");
+			debug_return_bool(ret);
+		default:
+			sudo_debug_printf(SUDO_DEBUG_INFO, "handle->fn_get_values(sudoUser): != 0");
+			debug_return_bool(ret);
+	}
+
+	for (i = 0; val_array[i] != NULL && !ret; ++i) {
+		val = val_array[i];
+		if (*val == '+') {
+			netgroup_spec_found = true;
+		}
+		sudo_debug_printf(SUDO_DEBUG_DEBUG, "val[%d]=%s", i, val);
+		if (strcmp(val, "ALL") == 0 || netgr_matches(val, NULL, NULL, user_name)) {
+			ret = true;
+			sudo_debug_printf(SUDO_DEBUG_DIAG,
+			                  "sssd/ldap sudoUser '%s' ... MATCH! (%s)", val, user_name);
+		}
+	}
+	handle->fn_free_values(val_array);
+	debug_return_bool(netgroup_spec_found ? ret : true);
 }
 
 static int
@@ -599,7 +645,8 @@ sudo_sss_result_filterp(struct sudo_sss_
     (void)unused;
     debug_decl(sudo_sss_result_filterp, SUDO_DEBUG_SSSD);
 
-    if (sudo_sss_check_host(handle, rule))
+    if (sudo_sss_check_host(handle, rule) &&
+        sudo_sss_filter_user_netgroup(handle, rule))
 	debug_return_int(1);
     else
 	debug_return_int(0);