I had a test environment which had two samba DCs (running v 4.8.0rc2) and 1 Windows Server 2008R2 DC. The samba DCs had been upgraded from v 4.6x and the secrets database was not encrypted (as far as I know). I decided to downgrade one of the samba DCs to v 4.7.4. On re-starting samba after the downgrade the log shows: ldb: unable to dlopen /usr/local/samba/lib/ldb/encrypted_secrets.so : /usr/local/samba/lib/private/libdsdb-module-samba4.so: version `SAMBA_4.8.0RC2' not found (required by /usr/local/samba/lib/ldb/encrypted_secrets.so) and the samba daemons are left in a failed state. Recovery was to remove this failed DC (dc1) from the domain, after seizing the FSMO roles and using the remove-other-dead-server option on the remaining (4.8.0rc2) DC. On the original machine, I removed all traces of the existing samba installation and then installed a freshly compiled copy of v. 4.7.5 and re-joined the domain (though wasn't able to specify the --plaintext-secrets option). All was working, including replication (as far as I know). I then demoted the other 4.8.0rc2 samba machine (dc2), with the same result, so had to repeat the seizing of roles and removal then install 4.7.5 and re-join.
This may be totally dumb, but have you tried: # /usr/local/samba/lib/ldb/encrypted_secrets.so Afaict encrypted_secrets.so is part of 4.7 so shouldn't be present in a 4.7 install. So if it's left over in the ldb module directory from the 4.8 install, 4.7 will try to load it (as it's in the ldb module dir) and that fails.
(In reply to Ralph Böhme from comment #1) Ups, somehow an important part was stripped, I meant: # rm /usr/local/samba/lib/ldb/encrypted_secrets.so
(In reply to Ralph Böhme from comment #2) No, sadly I didn't try that - too late now as I've blown it away! Thanks, Roy
Closing as invalid per the discussion.