Samba-tool tries to redact --password arguments from the command line, which it currently does by trying to replace the --password=secret123 argument with the exact string "--password=xxx". Unfortunately it does this using a regular expression that includes the password: pass_opt_re_str = "(.*[ ]+)(%s[= ]%s)([ ]*.*)" % (opt_str, secret_data) and if the password contains a character like '(', which breaks the regex. samba-tool will fail with a long stack trace. If your password happens to contain some clever pathological backtracking regex, it will be slow. Also, if your password is actually "xxx" it will not be successfully redacted. This was reported at https://bugs.launchpad.net/bugs/2002949 by Renaud Miel, and brought to the attention of the Samba team by Seth Arnold of Canonical.
This is not a security concern. Even if an attacker can convince you to use a problematic password (perhaps with "must include special characters"), it only really denies you access to an inherently insecure usage. Don't use --password.
(In reply to Douglas Bagnall from comment #1) Time to rip out `--password`?
(In reply to Demi Marie Obenour from comment #2) This is used extensively in our selftest system, and regardless we don't remove existing functionality like this.
https://gitlab.com/samba-team/samba/-/merge_requests/2902 is the related MR.
This bug was referenced in samba master: 848fea1a01a4ddc1598150823d5d0784d3ef0be4 fd81759e2ed44cac3bc67243a39256f953969103 5afd206d1d8f0344a2f1fa7a238204d1fb164eda 3f9e455898554b726bf1689f743b2d9cb6b59537 a53ebc288f47329c997d52325eeeb5e91ce43b75 414b3803bb6a1b12c44b52ab1ff64a8b7f61fd03 76ad44f446c42832e87b2c60a4731a8de3a0018f
This bug was referenced in samba v4-19-test: 848fea1a01a4ddc1598150823d5d0784d3ef0be4 fd81759e2ed44cac3bc67243a39256f953969103 5afd206d1d8f0344a2f1fa7a238204d1fb164eda 3f9e455898554b726bf1689f743b2d9cb6b59537 a53ebc288f47329c997d52325eeeb5e91ce43b75 414b3803bb6a1b12c44b52ab1ff64a8b7f61fd03 76ad44f446c42832e87b2c60a4731a8de3a0018f
This bug was referenced in samba v4-19-stable (Release samba-4.19.0rc1): 848fea1a01a4ddc1598150823d5d0784d3ef0be4 fd81759e2ed44cac3bc67243a39256f953969103 5afd206d1d8f0344a2f1fa7a238204d1fb164eda 3f9e455898554b726bf1689f743b2d9cb6b59537 a53ebc288f47329c997d52325eeeb5e91ce43b75 414b3803bb6a1b12c44b52ab1ff64a8b7f61fd03 76ad44f446c42832e87b2c60a4731a8de3a0018f
Created attachment 18017 [details] Patch in master backported to Samba 4.18
ready for 4.18.
Pushed to autobuild-v4-18-test.
This bug was referenced in samba v4-18-test: 7f87d028516b6f006c944efa44be92f84a8b1c52 2ed3913687513995cd006ca5590eac426ccfbeec 534425ba2f6527666401b9cab6960c977ca22308 8c2c1b5413a9e0d6b82b07e5571c43a6f3c50618 e724909ac0640bb2aa27275e4368b3758de7bde5 c11b6d6b6a43730f49809eb725931900b99b941d e911424161d838ab09cc582ae56843c84ee52bc1
Closing out bug report. Thanks!
This bug was referenced in samba v4-18-stable (Release samba-4.18.6): 7f87d028516b6f006c944efa44be92f84a8b1c52 2ed3913687513995cd006ca5590eac426ccfbeec 534425ba2f6527666401b9cab6960c977ca22308 8c2c1b5413a9e0d6b82b07e5571c43a6f3c50618 e724909ac0640bb2aa27275e4368b3758de7bde5 c11b6d6b6a43730f49809eb725931900b99b941d e911424161d838ab09cc582ae56843c84ee52bc1