I had two IPA servers setup - my master and the replica. When performing the HBAC test (which includes a sudo rules test as a component of the HBAC test) the test would say access granted from the master. I had not tried to run the same test from the replica until this weekend when I did so by accident. The test told me access denied. For a moment I was puzzled until I realized I was running the test from the replica. Then I tried the same test again from the master and the test passed. This made me realize something was wrong and needed to be investigated further. I decided to install the ipa healthcheck tool on both servers and see what it told me. I read the documentation and ran all available healthchecks. Sure enough, one of the healthchecks failed. It didn't have just one failure though, there were many failures for the same test. I learned that even though the replica install logs showed installation success I was still missing a package that needed to be installed separately. Once I installed the correct ipa package and ran the healthcheck again all tests passed. Now, when running the HBAC test in the GUI, both servers showed access granted. A last test from the client still didn't work. I cleared the sssd cache and tried again. Now sudo worked! It certainly underscored how important it is to have a healthy system status. Also, the problem appeared to be one thing in my mind but turned out being totally different when actually resolved. Keep your mind open to all possibilities.