From our user in the abovementioned bug report in Debian:
The pam_winbind module leaks file descriptors. wb_common.c keeps its
file descriptor in the winbindd_fd global variable and closes that
through the winbind_close_sock function, but there's no provision for
making sure that winbind_close_sock is called when pam_winbind is closed
A symptom of this is that Apache, if set up to use its auth_pam module,
is eventually unable to authenticate new users.
The attached patch instructs gcc to treat winbind_close_sock as a
destructor. This is the simplest fix but maybe not the best; from
looking at the docs, specifying a cleanup function to pam_set_data (and
doing something else for nss_winbind?) may be more correct.
diff -r samba-3.4.7.orig/nsswitch/winbind_client.h samba-3.4.7/nsswitch/winbind_client.h
< void winbind_close_sock(void);
> void winbind_close_sock(void) __attribute__((destructor));
From a discussion on IRC, this bug is a duplicate of #7684 (rather saif that 7684 is a duplicate of this one..:-))
*** This bug has been marked as a duplicate of bug 7684 ***