do you have 'sudo: files sss" or "sudoers: files sss"? The former
doesn't do anything, the latter is correct.

if you crank up debugging in the sudo section in sssd.conf do you see
any activity at all?

do you have '/usr/lib64/libsss_sudo.so' installed? On fedora/rhel, this
is provided by libsss_sudo, I don't know what provides it on Debian.

doesn't do anything, the latter is correct.

My mistake, I meant

sudoers: files sss

But oddly, out of the three 16.04 boxes I set up and enrolled, it was
missing on one of them - and this happened to be the one I was checking
logs on :-( (However, sudo fails in the same way on all three machines)

So after adding this I've rechecked logs.

/var/log/sudo-debug is the same, in particular it still shows "policy
plugin returns 0" and nothing after.

With sss_debuglevel 5, /var/log/sssd/sssd_IPA.EXAMPLE.COM.log has

...
(Wed May 3 08:50:37 2017) [sssd[be[IPA.EXAMPLE.COM]]] [pam_print_data]
(0x0100): ruser: brian.candler
(Wed May 3 08:50:37 2017) [sssd[be[IPA.EXAMPLE.COM]]] [pam_print_data]
(0x0100): rhost:
(Wed May 3 08:50:37 2017) [sssd[be[IPA.EXAMPLE.COM]]] [pam_print_data]
(0x0100): authtok type: 0
(Wed May 3 08:50:37 2017) [sssd[be[IPA.EXAMPLE.COM]]] [pam_print_data]
(0x0100): newauthtok type: 0
(Wed May 3 08:50:37 2017) [sssd[be[IPA.EXAMPLE.COM]]] [pam_print_data]
(0x0100): priv: 0
(Wed May 3 08:50:37 2017) [sssd[be[IPA.EXAMPLE.COM]]] [pam_print_data]
(0x0100): cli_pid: 22709
(Wed May 3 08:50:37 2017) [sssd[be[IPA.EXAMPLE.COM]]] [pam_print_data]
(0x0100): logon name: not set
(Wed May 3 08:50:37 2017) [sssd[be[IPA.EXAMPLE.COM]]]
[ipa_hostgroup_info_done] (0x0200): Dereferenced host group: normal_hosts
(Wed May 3 08:50:37 2017) [sssd[be[IPA.EXAMPLE.COM]]]
[ipa_hostgroup_info_done] (0x0200): Dereferenced host group:
development_hosts
(Wed May 3 08:50:37 2017) [sssd[be[IPA.EXAMPLE.COM]]]
[hbac_get_category] (0x0200): Category is set to 'all'.
(Wed May 3 08:50:37 2017) [sssd[be[IPA.EXAMPLE.COM]]]
[ipa_hbac_evaluate_rules] (0x0080): Access granted by HBAC rule
[allow_normal_hosts]
(Wed May 3 08:50:37 2017) [sssd[be[IPA.EXAMPLE.COM]]]
[be_pam_handler_callback] (0x0100): Backend returned: (0, 0, <NULL>)
[Success]
(Wed May 3 08:50:37 2017) [sssd[be[IPA.EXAMPLE.COM]]]
[be_pam_handler_callback] (0x0100): Backend returned: (0, 0, Success)
[Success]
(Wed May 3 08:50:37 2017) [sssd[be[IPA.EXAMPLE.COM]]]
[be_pam_handler_callback] (0x0100): Sending result [0][IPA.EXAMPLE.COM]
(Wed May 3 08:50:37 2017) [sssd[be[IPA.EXAMPLE.COM]]]
[be_pam_handler_callback] (0x0100): Sent result [0][IPA.EXAMPLE.COM]

("allow_normal_hosts" is indeed the name of the rule in FreeIPA database)

sssd.log has:

(Wed May 3 08:50:35 2017) [sssd[nss]] [sss_cmd_get_version] (0x0200):
Received client version [1].
(Wed May 3 08:50:35 2017) [sssd[nss]] [sss_cmd_get_version] (0x0200):
Offered version [1].
(Wed May 3 08:50:35 2017) [sssd[nss]] [sss_parse_name_for_domains]
(0x0200): name 'root' matched without domain, user is root
(Wed May 3 08:50:35 2017) [sssd[nss]] [nss_cmd_getbynam] (0x0100):
Requesting info for [root] from [<ALL>]
(Wed May 3 08:50:35 2017) [sssd[nss]] [nss_cmd_initgroups_search]
(0x0080): No matching domain found for [root], fail!
(Wed May 3 08:50:37 2017) [sssd[nss]] [client_recv] (0x0200): Client
disconnected!

(Hmm, suspicious that error about "root" ??)

sssd_sudo.log has:

(Wed May 3 08:50:35 2017) [sssd[sudo]] [sss_cmd_get_version] (0x0200):
Received client version [1].
(Wed May 3 08:50:35 2017) [sssd[sudo]] [sss_cmd_get_version] (0x0200):
Offered version [1].
(Wed May 3 08:50:35 2017) [sssd[sudo]] [sss_parse_name_for_domains]
(0x0200): name 'brian.candler' matched without domain, user is brian.candler
(Wed May 3 08:50:35 2017) [sssd[sudo]] [sss_parse_name_for_domains]
(0x0200): name 'brian.candler' matched without domain, user is brian.candler
(Wed May 3 08:50:35 2017) [sssd[sudo]] [sudosrv_cmd_parse_query_done]
(0x0200): Requesting default options for [brian.candler] from [<ALL>]
(Wed May 3 08:50:35 2017) [sssd[sudo]] [sudosrv_get_user] (0x0200):
Requesting info about [***@IPA.EXAMPLE.COM]
(Wed May 3 08:50:35 2017) [sssd[sudo]]
[sudosrv_get_sudorules_query_cache] (0x0200): Searching sysdb with
[(&(objectClass=sudoRule)(|(sudoUser=ALL)(name=defaults)(sudoUser=brian.candler)(sudoUser=#1211000003)(sudoUser=%security_administrators)(sudoUser=%admins)(sudoUser=%network_readonly)(sudoUser=%vpn)(sudoUser=%system_administrators)(sudoUser=%ipausers)(sudoUser=%staff)(sudoUser=%brian.candler)(sudoUser=+*))(&(dataExpireTimestamp<=1493801435)))]
(Wed May 3 08:50:35 2017) [sssd[sudo]]
[sudosrv_get_sudorules_query_cache] (0x0200): Searching sysdb with
[(&(objectClass=sudoRule)(|(name=defaults)))]
(Wed May 3 08:50:35 2017) [sssd[sudo]] [sss_parse_name_for_domains]
(0x0200): name 'brian.candler' matched without domain, user is brian.candler
(Wed May 3 08:50:35 2017) [sssd[sudo]] [sss_parse_name_for_domains]
(0x0200): name 'brian.candler' matched without domain, user is brian.candler
(Wed May 3 08:50:35 2017) [sssd[sudo]] [sudosrv_cmd_parse_query_done]
(0x0200): Requesting rules for [brian.candler] from [<ALL>]
(Wed May 3 08:50:35 2017) [sssd[sudo]] [sudosrv_get_user] (0x0200):
Requesting info about [***@IPA.EXAMPLE.COM]
(Wed May 3 08:50:35 2017) [sssd[sudo]]
[sudosrv_get_sudorules_query_cache] (0x0200): Searching sysdb with
[(&(objectClass=sudoRule)(|(sudoUser=ALL)(name=defaults)(sudoUser=brian.candler)(sudoUser=#1211000003)(sudoUser=%security_administrators)(sudoUser=%admins)(sudoUser=%network_readonly)(sudoUser=%vpn)(sudoUser=%system_administrators)(sudoUser=%ipausers)(sudoUser=%staff)(sudoUser=%brian.candler)(sudoUser=+*))(&(dataExpireTimestamp<=1493801435)))]
(Wed May 3 08:50:35 2017) [sssd[sudo]]
[sudosrv_get_sudorules_query_cache] (0x0200): Searching sysdb with
[(&(objectClass=sudoRule)(|(sudoUser=ALL)(sudoUser=brian.candler)(sudoUser=#1211000003)(sudoUser=%security_administrators)(sudoUser=%admins)(sudoUser=%network_readonly)(sudoUser=%vpn)(sudoUser=%system_administrators)(sudoUser=%ipausers)(sudoUser=%staff)(sudoUser=%brian.candler)(sudoUser=+*)))]
(Wed May 3 08:50:37 2017) [sssd[sudo]] [client_recv] (0x0200): Client
disconnected!

sssd_pam.log has:

(Wed May 3 08:50:37 2017) [sssd[pam]] [sss_cmd_get_version] (0x0200):
Received client version [3].
(Wed May 3 08:50:37 2017) [sssd[pam]] [sss_cmd_get_version] (0x0200):
Offered version [3].
(Wed May 3 08:50:37 2017) [sssd[pam]] [pam_cmd_authenticate] (0x0100):
entering pam_cmd_authenticate
(Wed May 3 08:50:37 2017) [sssd[pam]] [sss_parse_name_for_domains]
(0x0200): name 'brian.candler' matched without domain, user is brian.candler
(Wed May 3 08:50:37 2017) [sssd[pam]] [pam_print_data] (0x0100):
command: SSS_PAM_AUTHENTICATE
(Wed May 3 08:50:37 2017) [sssd[pam]] [pam_print_data] (0x0100):
domain: not set
(Wed May 3 08:50:37 2017) [sssd[pam]] [pam_print_data] (0x0100): user:
brian.candler
(Wed May 3 08:50:37 2017) [sssd[pam]] [pam_print_data] (0x0100):
service: sudo
(Wed May 3 08:50:37 2017) [sssd[pam]] [pam_print_data] (0x0100): tty:
/dev/pts/1
(Wed May 3 08:50:37 2017) [sssd[pam]] [pam_print_data] (0x0100): ruser:
brian.candler
(Wed May 3 08:50:37 2017) [sssd[pam]] [pam_print_data] (0x0100): rhost:
not set
(Wed May 3 08:50:37 2017) [sssd[pam]] [pam_print_data] (0x0100):
authtok type: 1
(Wed May 3 08:50:37 2017) [sssd[pam]] [pam_print_data] (0x0100):
newauthtok type: 0
(Wed May 3 08:50:37 2017) [sssd[pam]] [pam_print_data] (0x0100): priv: 0
(Wed May 3 08:50:37 2017) [sssd[pam]] [pam_print_data] (0x0100):
cli_pid: 22709
(Wed May 3 08:50:37 2017) [sssd[pam]] [pam_print_data] (0x0100): logon
name: brian.candler
(Wed May 3 08:50:37 2017) [sssd[pam]] [pam_check_user_search] (0x0100):
Requesting info for [***@IPA.EXAMPLE.COM]
(Wed May 3 08:50:37 2017) [sssd[pam]] [pam_dp_send_req] (0x0100):
Sending request with the following data:
(Wed May 3 08:50:37 2017) [sssd[pam]] [pam_print_data] (0x0100):
command: SSS_PAM_AUTHENTICATE
(Wed May 3 08:50:37 2017) [sssd[pam]] [pam_print_data] (0x0100):
domain: IPA.EXAMPLE.COM
(Wed May 3 08:50:37 2017) [sssd[pam]] [pam_print_data] (0x0100): user:
brian.candler
(Wed May 3 08:50:37 2017) [sssd[pam]] [pam_print_data] (0x0100):
service: sudo
(Wed May 3 08:50:37 2017) [sssd[pam]] [pam_print_data] (0x0100): tty:
/dev/pts/1
(Wed May 3 08:50:37 2017) [sssd[pam]] [pam_print_data] (0x0100): ruser:
brian.candler
(Wed May 3 08:50:37 2017) [sssd[pam]] [pam_print_data] (0x0100): rhost:
not set
(Wed May 3 08:50:37 2017) [sssd[pam]] [pam_print_data] (0x0100):
authtok type: 1
(Wed May 3 08:50:37 2017) [sssd[pam]] [pam_print_data] (0x0100):
newauthtok type: 0
(Wed May 3 08:50:37 2017) [sssd[pam]] [pam_print_data] (0x0100): priv: 0
(Wed May 3 08:50:37 2017) [sssd[pam]] [pam_print_data] (0x0100):
cli_pid: 22709
(Wed May 3 08:50:37 2017) [sssd[pam]] [pam_print_data] (0x0100): logon
name: brian.candler
(Wed May 3 08:50:37 2017) [sssd[pam]] [pam_dom_forwarder] (0x0100):
pam_dp_send_req returned 0
(Wed May 3 08:50:37 2017) [sssd[pam]] [pam_dp_process_reply] (0x0200):
received: [0 (Success)][IPA.EXAMPLE.COM]
(Wed May 3 08:50:37 2017) [sssd[pam]] [pam_reply] (0x0200): pam_reply
called with result [0]: Success.
(Wed May 3 08:50:37 2017) [sssd[pam]] [pam_reply] (0x0200): pam_reply
called with result [0]: Success.
(Wed May 3 08:50:37 2017) [sssd[pam]] [pam_reply] (0x0200): blen: 83
(Wed May 3 08:50:37 2017) [sssd[pam]] [pam_cmd_acct_mgmt] (0x0100):
entering pam_cmd_acct_mgmt
(Wed May 3 08:50:37 2017) [sssd[pam]] [sss_parse_name_for_domains]
(0x0200): name 'brian.candler' matched without domain, user is brian.candler
(Wed May 3 08:50:37 2017) [sssd[pam]] [pam_print_data] (0x0100):
command: SSS_PAM_ACCT_MGMT
(Wed May 3 08:50:37 2017) [sssd[pam]] [pam_print_data] (0x0100):
domain: not set
(Wed May 3 08:50:37 2017) [sssd[pam]] [pam_print_data] (0x0100): user:
brian.candler
(Wed May 3 08:50:37 2017) [sssd[pam]] [pam_print_data] (0x0100):
service: sudo
(Wed May 3 08:50:37 2017) [sssd[pam]] [pam_print_data] (0x0100): tty:
/dev/pts/1
(Wed May 3 08:50:37 2017) [sssd[pam]] [pam_print_data] (0x0100): ruser:
brian.candler
(Wed May 3 08:50:37 2017) [sssd[pam]] [pam_print_data] (0x0100): rhost:
not set
(Wed May 3 08:50:37 2017) [sssd[pam]] [pam_print_data] (0x0100):
authtok type: 0
(Wed May 3 08:50:37 2017) [sssd[pam]] [pam_print_data] (0x0100):
newauthtok type: 0
(Wed May 3 08:50:37 2017) [sssd[pam]] [pam_print_data] (0x0100): priv: 0
(Wed May 3 08:50:37 2017) [sssd[pam]] [pam_print_data] (0x0100):
cli_pid: 22709
(Wed May 3 08:50:37 2017) [sssd[pam]] [pam_print_data] (0x0100): logon
name: brian.candler
(Wed May 3 08:50:37 2017) [sssd[pam]] [pam_check_user_search] (0x0100):
Requesting info for [***@IPA.EXAMPLE.COM]
(Wed May 3 08:50:37 2017) [sssd[pam]] [pam_dp_send_req] (0x0100):
Sending request with the following data:
(Wed May 3 08:50:37 2017) [sssd[pam]] [pam_print_data] (0x0100):
command: SSS_PAM_ACCT_MGMT
(Wed May 3 08:50:37 2017) [sssd[pam]] [pam_print_data] (0x0100):
domain: IPA.EXAMPLE.COM
(Wed May 3 08:50:37 2017) [sssd[pam]] [pam_print_data] (0x0100): user:
brian.candler
(Wed May 3 08:50:37 2017) [sssd[pam]] [pam_print_data] (0x0100):
service: sudo
(Wed May 3 08:50:37 2017) [sssd[pam]] [pam_print_data] (0x0100): tty:
/dev/pts/1
(Wed May 3 08:50:37 2017) [sssd[pam]] [pam_print_data] (0x0100): ruser:
brian.candler
(Wed May 3 08:50:37 2017) [sssd[pam]] [pam_print_data] (0x0100): rhost:
not set
(Wed May 3 08:50:37 2017) [sssd[pam]] [pam_print_data] (0x0100):
authtok type: 0
(Wed May 3 08:50:37 2017) [sssd[pam]] [pam_print_data] (0x0100):
newauthtok type: 0
(Wed May 3 08:50:37 2017) [sssd[pam]] [pam_print_data] (0x0100): priv: 0
(Wed May 3 08:50:37 2017) [sssd[pam]] [pam_print_data] (0x0100):
cli_pid: 22709
(Wed May 3 08:50:37 2017) [sssd[pam]] [pam_print_data] (0x0100): logon
name: brian.candler
(Wed May 3 08:50:37 2017) [sssd[pam]] [pam_dom_forwarder] (0x0100):
pam_dp_send_req returned 0
(Wed May 3 08:50:37 2017) [sssd[pam]] [pam_dp_process_reply] (0x0200):
received: [0 (Success)][IPA.EXAMPLE.COM]
(Wed May 3 08:50:37 2017) [sssd[pam]] [pam_reply] (0x0200): pam_reply
called with result [0]: Success.
(Wed May 3 08:50:37 2017) [sssd[pam]] [pam_reply] (0x0200): blen: 34
(Wed May 3 08:50:37 2017) [sssd[pam]] [client_recv] (0x0200): Client
disconnected!


I probably should have said: logging into the machine with an IPA
account works fine, and "id brian.candler" works fine. It's just sudo
which is failing.
any activity at all? do you have '/usr/lib64/libsss_sudo.so' installed?
On fedora/rhel, this is provided by libsss_sudo, I don't know what
provides it on Debian.

Yes it's there, in this package:

ii libsss-sudo 1.13.4-1ubuntu1.2 amd64
Communicator library for sudo

# ls -l /usr/lib/x86_64-linux-gnu/libsss_sudo.so
-rw-r--r-- 1 root root 19048 Feb 23 17:53
/usr/lib/x86_64-linux-gnu/libsss_sudo.so

# file /usr/lib/x86_64-linux-gnu/libsss_sudo.so
/usr/lib/x86_64-linux-gnu/libsss_sudo.so: ELF 64-bit LSB shared object,
x86-64, version 1 (SYSV), dynamically linked,
BuildID[sha1]=7eb72ec85bdd76aca8d82e03a3fad9aa12abc0ba, stripped

Regards,

Brian.