The upstream samba package was updated from 4.4 to 4.6 in CentOS 7.4. I suppose they changed the random password generation algorithm…
On our side, about one year ago we disabled the automatic SSSD password renewal function, introduced in 7.3 that breaks non-sssd aware modules (like SOGo, WebTop, Roundcube…).
I think we should stop to use the machine password to browse Samba AD LDAP and always require a dedicated account, like we do with MS AD. Local AD provider can generate it automatically.
No, as long as individual configuration templates and applications support binary data.