samba - Dec 2017 - inconsistent winbind on upgraded member server

I upgraded a domain member server from 4.5.5 to 4.6.2. After some initial
tests, where everything seemed to be working fine, I upgraded the OS from
CentOS 7.3 to 7.4. Now I have intermittent problems with domain users
trying to log in to the member server over ssh.

After a bunch of troubleshooting I determined that winbind sometimes
returns the user home directory and shell incorrectly and sometimes returns
it correctly.

I think the problem is best illustrated like this:


[mark at nikola ~]$ wbinfo -i mark
mark:*:500:513:Mark Nienberg:/home/STA/mark:/bin/false <--- wrong

[mark at nikola ~]$ finger mark
Login: mark                       Name: Mark Nienberg
Directory: /home/mark                   Shell: /bin/bash  <-- correct

[mark at nikola ~]$ wbinfo -i mark
mark:*:500:513:Mark Nienberg:/home/mark:/bin/bash  <-- now correct!

Results seem to continue to be correct for an hour or so, then they revert
to incorrect.


Here is part of smb.conf

[global]
        workgroup = STA
        security = ADS
        realm = TIPPING.LAN
        idmap config *:backend = tdb
        idmap config *:range = 70001-80000
        idmap config STA:backend = ad
        idmap config STA:schema_mode = rfc2307
        idmap config STA:range = 500-70000

        # after upgrade to 4.6 series, comment out the following
        #winbind nss info = rfc2307

        # after upgrade to 4.6 series, uncomment the following
        idmap config STA:unix_nss_info = yes

        vfs objects = acl_xattr
        map acl inherit = Yes

        interfaces = ens192 lo
        bind interfaces only = yes

        store dos attributes = Yes
        winbind use default domain = yes
        winbind enum users = yes
        winbind enum groups = yes


Any ideas appreciated.

Mark