libpam-smbpass syncs unix passwords when "unix password sync" is off

Could you precise what you mean by "installed by default" ?
It certainly isn't installed on Ubuntu Desktop by default, and it's not installed in the default Server install either. It's installed in the "Samba File Server" task in the server installer. It also gets installed when you enable file sharing on the desktop. In both cases that sounds like a sane default behavior.

The reason why it syncs unix passwords when "unix password sync" is off is that libpam-smbpass is an alternative way of syncing Unix and Samba passwords: instead of syncing them at passwd change (which is what "unix password sync" does), libpam-smbpass (if present) syncs them when the user logs in. The way to disable it is to uninstall libpam-smbpass.

Yes, it's installed when you install samba, I should have specified I meant "by default when installing samba", sorry about that.

I've looked around for a good while now trying to find out what hashes and encryption samba uses on it's files. I assumed it would have to use whatever hash the protocol uses, and it looks like I guessed right. Looking around for specifications on whats stored in the password database I find this in samba's documentation:
"user account information such as username, LM/NT password hashes, password change times, and account flags"

So that's LanMan and MD4 hash'es. LanMan is known for being easy to crack (see http://en.wikipedia.org/wiki/LM_hash ).

My /etc/secrets are hashed to sha512 because it's too easy to break md5. I REALLY don't want my password automatically put in more databases by default in any package.

Looking into this more, without "client lanman auth = yes" samba will use ntlm by default. That's still not a hash comparable to sha512. So my argument stands.

NTLM is described here : http://en.wikipedia.org/wiki/NTLM

libpam-smbpass is not "installed by default when you install samba". It is installed when you choose the "Samba file server" task in tasksel (which groups samba with other useful packages, when you don't know what to pick), or when you setup folder sharing in the desktop (where it makes sense as a default behavior). Both cases are targeted to novice users where enabling libpam-smbpass makes sense as the default.

I think that's a sane usability/discoverability/security trade-off. It's not installed when you install "samba" by itself, so it doesn't weaken security at all in most cases. You can safely remove it if you got it through the task or the folder sharing installer and prefer added security rather than that extra feature.