Thanks again Lukas, These turned out to be very helpful debugging suggestions, and were the critical part of getting the problem solved - the pointer to ldb-tools was extremely helpful in identifying where the issue was happening!
With them, I was able to see the right sudo rules were being cached, and that the change from sudo working to sudo not working happened not because of the host, but because of the user, and in particular, the user being a listed explicitly, or only as part of a group. The user's groups were being listed in the user's entry in the cache, but not when running the "id" command. Some quick googling, and I discovered that in Ubuntu 14.04, the sssd option "enumerate" defaults to false, which meant that the group memberships were not taking effect, which meant that sudo rules based on membership in a group weren't working. Setting enumerate to true got everything working. Many thanks again! -Andrew
-- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project