diff -up sudo-1.8.6p3/plugins/sudoers/sudo_nss.c.nssdupfix sudo-1.8.6p3/plugins/sudoers/sudo_nss.c
--- sudo-1.8.6p3/plugins/sudoers/sudo_nss.c.nssdupfix	2015-02-27 11:30:35.666426719 +0100
+++ sudo-1.8.6p3/plugins/sudoers/sudo_nss.c	2015-02-27 11:33:50.726600481 +0100
@@ -88,14 +88,14 @@ sudo_read_nss(void)
 	for ((cp = strtok(cp + 8, " \t")); cp != NULL; (cp = strtok(NULL, " \t"))) {
 	    if (strcasecmp(cp, "files") == 0 && !saw_files) {
 		tq_append(&snl, &sudo_nss_file);
-		got_match = true;
+		got_match = saw_files = true;
 	    } else if (strcasecmp(cp, "ldap") == 0 && !saw_ldap) {
 		tq_append(&snl, &sudo_nss_ldap);
-		got_match = true;
+		got_match = saw_ldap = true;
 #ifdef HAVE_SSSD
 	    } else if (strcasecmp(cp, "sss") == 0 && !saw_sss) {
 		tq_append(&snl, &sudo_nss_sss);
-		got_match = true;
+		got_match = saw_sss = true;
 #endif
 	    } else if (strcasecmp(cp, "[NOTFOUND=return]") == 0 && got_match) {
 		/* NOTFOUND affects the most recent entry */
@@ -169,18 +169,18 @@ sudo_read_nss(void)
 	    if (!saw_files && strncasecmp(cp, "files", 5) == 0 &&
 		(isspace((unsigned char)cp[5]) || cp[5] == '\0')) {
 		tq_append(&snl, &sudo_nss_file);
-		got_match = true;
+		got_match = saw_files = true;
 		ep = &cp[5];
 	    } else if (!saw_ldap && strncasecmp(cp, "ldap", 4) == 0 &&
 		(isspace((unsigned char)cp[4]) || cp[4] == '\0')) {
 		tq_append(&snl, &sudo_nss_ldap);
-		got_match = true;
+		got_match = saw_ldap = true;
 		ep = &cp[4];
 #ifdef HAVE_SSSD
 	    } else if (!saw_sss && strncasecmp(cp, "sss", 3) == 0 &&
 		(isspace((unsigned char)cp[3]) || cp[3] == '\0')) {
 		tq_append(&snl, &sudo_nss_sss);
-		got_match = true;
+		got_match = saw_sss = true;
 		ep = &cp[3];
 #endif
 	    } else {