Technical note added. If any revisions are required, please edit the "Technical Notes" field
    accordingly. All revisions will be proofread by the Engineering Content Services team.
    
    New Contents:
Cause: nss responder uses negative cache to eliminate the need for asking provider for non-existent entity multiple times. However in case of netgroups the querying process didn't work well with the negative cache.
Consequence: in some cases an empty netgroup could have been returned to client even if it actually didn't exist
Fix: nss responder has been changed to use special flag indicating that the group has been found in the cache instead if using negative cache for netgroup lookups
Result: netgroup queries no longer return empty netgroups if they don't exist in the cache

Verified on sssd-1.8.0-22.el6.x86_64. 

The output for the associated beaker automation script is given below:

::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
:: [   LOG    ] :: Verify BZ release ticket #336 :- sssd returns empty netgroup at a second request for an non-existing netgroup
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::

:: [   PASS   ] :: Verify BZ release ticket #336
:: [   PASS   ] :: Verify BZ release ticket #336
:: [   PASS   ] :: Verify BZ release ticket #336
:: [   LOG    ] :: Duration: 14s
:: [   LOG    ] :: Assertions: 6 good, 0 bad
:: [   PASS   ] :: RESULT: Verify BZ release ticket #336 :- sssd returns empty netgroup at a second request for an non-existing netgroup

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHBA-2012-0747.html