Package: winbind
Version: 2:4.17.2+dfsg-9
Severity: normal
I happened to notice in the samba changelog that samba and winbind now use
groupadd instead of addgroup, as a way to create a system group without
extra dependencies. While reporting a missing dependency on adduser in
an unrelated package (#1023758 in pipewire) I thought this could be a
useful technique and looked at it in more detail.
Unfortunately, groupadd is in a non-Essential package, so using it without
a dependency is technically a Policy violation (IMO not a release-critical
one, but opinions might vary on this). Specifically, it's in passwd,
which is Priority: required (therefore is preinstalled in even minimal
debootstrap chroots, preventing piuparts from detecting this bug) but
is technically something that sysadmins are allowed to remove.
Steps to reproduce:
$ podman run --pull=always --rm -it debian:sid-slim
# apt update
# apt upgrade
# apt purge adduser passwd
# apt install --no-install-recommends winbind
(or use your favourite minimal container/chroot instead of podman)
Expected result: successful installation; winbind might not be practically
useful without its Recommends, but should install OK
Actual result:
> Setting up winbind (2:4.17.2+dfsg-9) ...
> /var/lib/dpkg/info/winbind.postinst: 38: groupadd: not found
> dpkg: error processing package winbind (--configure):
> installed winbind package post-installation script subprocess returned error
> exit status 127
The obvious solution is "Depends: passwd" in the winbind and samba
packages (and any others that use groupadd in this way). See #1023758
for some alternatives to this, involving sysusers.d.
Thanks,
smcv
