[Pkg-samba-maint] Bug#1023759: winbind, samba: runs groupadd without a dependency on passwd

[Simon McVittie]

Package: winbind
Version: 2:4.17.2+dfsg-9
Severity: normal

I happened to notice in the samba changelog that samba and winbind now use
groupadd instead of addgroup, as a way to create a system group without
extra dependencies. While reporting a missing dependency on adduser in
an unrelated package (#1023758 in pipewire) I thought this could be a
useful technique and looked at it in more detail.

Unfortunately, groupadd is in a non-Essential package, so using it without
a dependency is technically a Policy violation (IMO not a release-critical
one, but opinions might vary on this). Specifically, it's in passwd,
which is Priority: required (therefore is preinstalled in even minimal
debootstrap chroots, preventing piuparts from detecting this bug) but
is technically something that sysadmins are allowed to remove.

Steps to reproduce:

$ podman run --pull=always --rm -it debian:sid-slim
# apt update
# apt upgrade
# apt purge adduser passwd
# apt install --no-install-recommends winbind

(or use your favourite minimal container/chroot instead of podman)

Expected result: successful installation; winbind might not be practically
useful without its Recommends, but should install OK

Actual result:

> Setting up winbind (2:4.17.2+dfsg-9) ...
> /var/lib/dpkg/info/winbind.postinst: 38: groupadd: not found
> dpkg: error processing package winbind (--configure):
>  installed winbind package post-installation script subprocess returned error exit status 127

The obvious solution is "Depends: passwd" in the winbind and samba
packages (and any others that use groupadd in this way). See #1023758
for some alternatives to this, involving sysusers.d.

Thanks,
    smcv