Samba-tool tries to redact --password arguments from the command line, which it currently does by trying to replace the --password=secret123 argument with the exact string "--password=xxx". Unfortunately it does this using a regular expression that includes the password: pass_opt_re_str = "(.*[ ]+)(%s[= ]%s)([ ]*.*)" % (opt_str, secret_data) and if the password contains a character like '(', which breaks the regex. samba-tool will fail with a long stack trace. If your password happens to contain some clever pathological backtracking regex, it will be slow. Also, if your password is actually "xxx" it will not be successfully redacted. This was reported at https://bugs.launchpad.net/bugs/2002949 by Renaud Miel, and brought to the attention of the Samba team by Seth Arnold of Canonical.
This is not a security concern. Even if an attacker can convince you to use a problematic password (perhaps with "must include special characters"), it only really denies you access to an inherently insecure usage. Don't use --password.
(In reply to Douglas Bagnall from comment #1) Time to rip out `--password`?
(In reply to Demi Marie Obenour from comment #2) This is used extensively in our selftest system, and regardless we don't remove existing functionality like this.
https://gitlab.com/samba-team/samba/-/merge_requests/2902 is the related MR.