diff --git a/sudo-1.8.8-sssdfixes.patch b/sudo-1.8.8-sssdfixes.patch
new file mode 100644
index 0000000..138794d
--- /dev/null
+++ b/sudo-1.8.8-sssdfixes.patch
@@ -0,0 +1,127 @@
+--- sudo-1.8.6p7/plugins/sudoers/sssd.c.sssd	2013-02-25 21:42:44.000000000 +0200
++++ sudo-1.8.6p7/plugins/sudoers/sssd.c	2013-12-19 13:24:26.851998107 +0200
+@@ -345,7 +345,7 @@ static int sudo_sss_setdefs(struct sudo_
+ 
+     if (sss_error == ENOENT) {
+ 	sudo_debug_printf(SUDO_DEBUG_INFO, "The user was not found in SSSD.");
+-	debug_return_int(-1);
++	debug_return_int(0);
+     } else if(sss_error != 0) {
+ 	sudo_debug_printf(SUDO_DEBUG_INFO, "sss_error=%u\n", sss_error);
+ 	debug_return_int(-1);
+@@ -529,30 +529,31 @@ sudo_sss_check_runas_group(struct sudo_s
+  * Walk through search results and return true if we have a runas match,
+  * else false.  RunAs info is optional.
+  */
+-static int
++static bool
+ sudo_sss_check_runas(struct sudo_sss_handle *handle, struct sss_sudo_rule *rule)
+ {
+-    int ret;
++    bool ret;
+     debug_decl(sudo_sss_check_runas, SUDO_DEBUG_SSSD);
+ 
+     if (rule == NULL)
+-	 debug_return_int(false);
++	 debug_return_bool(false);
+ 
+     ret = sudo_sss_check_runas_user(handle, rule) != false &&
+ 	 sudo_sss_check_runas_group(handle, rule) != false;
+ 
+-    debug_return_int(ret);
++    debug_return_bool(ret);
+ }
+ 
+-static int
++static bool
+ sudo_sss_check_host(struct sudo_sss_handle *handle, struct sss_sudo_rule *rule)
+ {
+     char **val_array, *val;
+-    int ret = false, i;
++    bool ret = false;
++    int i;
+     debug_decl(sudo_sss_check_host, SUDO_DEBUG_SSSD);
+ 
+     if (rule == NULL)
+-	debug_return_int(ret);
++	debug_return_bool(ret);
+ 
+     /* get the values from the rule */
+     switch (handle->fn_get_values(rule, "sudoHost", &val_array))
+@@ -561,10 +562,10 @@ sudo_sss_check_host(struct sudo_sss_hand
+ 	break;
+     case ENOENT:
+ 	sudo_debug_printf(SUDO_DEBUG_INFO, "No result.");
+-	debug_return_int(false);
++	debug_return_bool(false);
+     default:
+ 	sudo_debug_printf(SUDO_DEBUG_INFO, "handle->fn_get_values(sudoHost): != 0");
+-	debug_return_int(ret);
++	debug_return_bool(ret);
+     }
+ 
+     /* walk through values */
+@@ -584,7 +585,52 @@ sudo_sss_check_host(struct sudo_sss_hand
+ 
+     handle->fn_free_values(val_array);
+ 
+-    debug_return_int(ret);
++    debug_return_bool(ret);
++}
++
++/*
++ * Look for netgroup specifcations in the sudoUser attribute and
++ * if found, filter according to netgroup membership.
++ *  returns:
++ *   true -> netgroup spec found && negroup member
++ *  false -> netgroup spec found && not a meber of netgroup
++ *   true -> netgroup spec not found (filtered by SSSD already, netgroups are an exception)
++ */
++bool sudo_sss_filter_user_netgroup(struct sudo_sss_handle *handle, struct sss_sudo_rule *rule)
++{
++	bool ret = false, netgroup_spec_found = false;
++	char **val_array, *val;
++	int i;
++	debug_decl(sudo_sss_check_user_netgroup, SUDO_DEBUG_SSSD);
++
++	if (!handle || !rule)
++		debug_return_bool(ret);
++
++	switch (handle->fn_get_values(rule, "sudoUser", &val_array)) {
++		case 0:
++			break;
++		case ENOENT:
++			sudo_debug_printf(SUDO_DEBUG_INFO, "No result.");
++			debug_return_bool(ret);
++		default:
++			sudo_debug_printf(SUDO_DEBUG_INFO, "handle->fn_get_values(sudoUser): != 0");
++			debug_return_bool(ret);
++	}
++
++	for (i = 0; val_array[i] != NULL && !ret; ++i) {
++		val = val_array[i];
++		if (*val == '+') {
++			netgroup_spec_found = true;
++		}
++		sudo_debug_printf(SUDO_DEBUG_DEBUG, "val[%d]=%s", i, val);
++		if (strcmp(val, "ALL") == 0 || netgr_matches(val, NULL, NULL, user_name)) {
++			ret = true;
++			sudo_debug_printf(SUDO_DEBUG_DIAG,
++			                  "sssd/ldap sudoUser '%s' ... MATCH! (%s)", val, user_name);
++		}
++	}
++	handle->fn_free_values(val_array);
++	debug_return_bool(netgroup_spec_found ? ret : true);
+ }
+ 
+ static int
+@@ -594,7 +640,8 @@ sudo_sss_result_filterp(struct sudo_sss_
+     (void)unused;
+     debug_decl(sudo_sss_result_filterp, SUDO_DEBUG_SSSD);
+ 
+-    if (sudo_sss_check_host(handle, rule))
++    if (sudo_sss_check_host(handle, rule) &&
++        sudo_sss_filter_user_netgroup(handle, rule))
+ 	debug_return_int(1);
+     else
+ 	debug_return_int(0);
diff --git a/sudo.spec b/sudo.spec
index 871b86c..c27f67b 100644
--- a/sudo.spec
+++ b/sudo.spec
@@ -1,7 +1,7 @@
 Summary: Allows restricted root access for specified users
 Name: sudo
 Version: 1.8.6p7
-Release: 1%{?dist}
+Release: 2%{?dist}
 License: ISC
 Group: Applications/System
 URL: http://www.courtesan.com/sudo/
@@ -26,6 +26,8 @@ BuildRequires: zlib-devel
 Patch1: sudo-1.6.7p5-strip.patch
 # configure.in fix
 Patch2: sudo-1.7.2p1-envdebug.patch
+# sssd fixes from 1.8.8
+Patch3: sudo-1.8.8-sssdfixes.patch
 
 %description
 Sudo (superuser do) allows a system administrator to give certain
@@ -52,6 +54,7 @@ plugins that use %{name}.
 
 %patch1 -p1 -b .strip
 %patch2 -p1 -b .envdebug
+%patch3 -p1 -b .sssd
 
 %build
 autoreconf -I m4 -fv --install
@@ -164,6 +167,9 @@ rm -rf $RPM_BUILD_ROOT
 %{_mandir}/man8/sudo_plugin.8*
 
 %changelog
+* Thu Dec 19 2013 Alexander Bokovoy <abokovoy@redhat.com> - 1.8.6p7-2
+- Backport SSSD changes, fixes #1000362
+
 * Thu Feb 28 2013 Daniel Kopecek <dkopecek@redhat.com> - 1.8.6p7-1
 - update to 1.8.6p7
 - fixes CVE-2013-1775 and CVE-2013-1776