LDAP Sudoers w/ AD & SSSD (returns only primary group)

I'm having issues getting LDAP sudoers rules to work. My environment is:

• Active Directory on Windows Server 2012 R2
• Ubuntu 16.04.2
• SSSD 1.13.4-1ubuntu1.5
• sudo 1.8.20-3 (latest as of the posting, tried both LDAP and non-LDAP versions)

I followed these instructions to create a sudo_debug.log (sanitized):

Jun 19 14:53:28 sudo[60452] Received 2 rule(s)
Jun 19 14:53:28 sudo[60452] -> sudo_sss_filter_result @ ./sssd.c:225
...
Jun 19 14:53:28 sudo[60452] sssd/ldap sudoHost 'ALL' ... MATCH!
...
Jun 19 14:53:28 sudo[60452] val[0]=%linuxadmins
...
Jun 19 14:53:28 sudo[60452] sudo_get_grlist: looking up group names for user@domain.com
...
Jun 19 14:53:28 sudo[60452] sudo_getgrgid: gid 1157000513 [] -> group domain users@domain.com [] (cache hit)
...
Jun 19 14:53:28 sudo[60452] user_in_group: user user@domain.com NOT in group linuxadmins
Jun 19 14:53:28 sudo[60452] <- user_in_group @ ./pwutil.c:1031 := false
Jun 19 14:53:28 sudo[60452] user user@domain.com matches group linuxadmins: false @ usergr_matches() ./match.c:969
Jun 19 14:53:28 sudo[60452] <- usergr_matches @ ./match.c:970 := false
Jun 19 14:53:28 sudo[60452] sssd/ldap sudoUser '%linuxadmins' ... not (user@domain.com)
...

From this log, you can see that:

• the sudoers rules are getting from AD to sudo (2 rules, the one displayed matching an AD entry)
• the match fails on the linuxadmins group

However, the user is in the linuxadmins group (sanitized, but "user" matches):

$ getent group linuxadmins
linuxadmins@domain.com:*:1157001133:user@domain.com,otheruser@domain.com

The only odd thing about this log is that it sudo_get_grlist appears to return only the user's Primary Group domain users@domain.com. This would explain the lack of a match.

Has anyone seen this before? Any idea if the list of groups is resolved inside sudo (that I should continue to wait on my question to sudo-users) or somewhere else like SSSD (that I should find their list)?