Hi Aaron, I found this information very helpful for debugging a CentOS 7 box that is having the same problem, thank you.
On my box, sudo over SSSD is working, but not with host groups, only with specific hosts listed. So there's some problem with the host expansion as you point out, but I'm unable to find the right log entries. I used the document at https://docs.pagure.org/SSSD.sssd/users/sudo_troubleshooting.html to set up the logging.
Do you know any keywords that I can grep for that would narrow down the log lines that are relevant? These log files are really big!
Thanks, Brian