I encountered the same bug today.
When a client (Windows or Mac) connects to the samba server at some point in time (not clearly reproducible, I guess file access or directory listing) the 'panic action' script is executed with the same output as above. The log file tells me:

[2011/11/18 14:45:27.558820,  1] lib/server_mutex.c:64(grab_named_mutex)
  Could not open mutex.tdb: Permission denied
[2011/11/18 14:45:27.561831,  0] lib/popt_common.c:64(popt_s3_talloc_log_fn)
  auth/auth_server.c:277: Type mismatch: name[NULL] expected[struct server_security_state]
[2011/11/18 14:45:27.561854,  0] lib/util.c:1465(smb_panic)
  PANIC (pid 15243): auth/auth_server.c:277: Type mismatch: name[NULL] expected[struct server_security_state]
[2011/11/18 14:45:27.566588,  0] lib/util.c:1569(log_stack_trace)
  BACKTRACE: 26 stack frames:
   #0 smbd(log_stack_trace+0x1a) [0x7fa72df9eb6a]
   #1 smbd(smb_panic+0x1f) [0x7fa72df9ec2f]
   #2 /usr/lib/libtalloc.so.2(_talloc_get_type_abort+0x5c) [0x7fa72b7df8cc]
   #3 smbd(+0x3bb46d) [0x7fa72dfec46d]
   #4 smbd(+0x3b6f1b) [0x7fa72dfe7f1b]
   #5 smbd(+0x3c403b) [0x7fa72dff503b]
   #6 smbd(+0x1c04d9) [0x7fa72ddf14d9]
   #7 smbd(ntlmssp_update+0xc4) [0x7fa72ddf36b4]
   #8 smbd(auth_ntlmssp_update+0x16) [0x7fa72dff5536]
   #9 smbd(+0x2faafc) [0x7fa72df2bafc]
   #10 smbd(api_pipe_bind_auth3+0x36f) [0x7fa72df2c20f]
   #11 smbd(np_write_send+0xb53) [0x7fa72df29403]
   #12 smbd(reply_pipe_write_and_X+0x167) [0x7fa72dd4ec87]
   #13 smbd(reply_write_and_X+0x398) [0x7fa72dd58118]
   #14 smbd(+0x167bb5) [0x7fa72dd98bb5]
   #15 smbd(+0x167f57) [0x7fa72dd98f57]
   #16 smbd(+0x1683da) [0x7fa72dd993da]
   #17 smbd(run_events+0x1e3) [0x7fa72dfae303]
   #18 smbd(smbd_process+0x756) [0x7fa72dd9a936]
   #19 smbd(+0x66891e) [0x7fa72e29991e]
   #20 smbd(run_events+0x1e3) [0x7fa72dfae303]
   #21 smbd(+0x37d4f8) [0x7fa72dfae4f8]
   #22 smbd(_tevent_loop_once+0x90) [0x7fa72dfaef90]
   #23 smbd(main+0xad3) [0x7fa72e29a5c3]
   #24 /lib/libc.so.6(__libc_start_main+0xfd) [0x7fa72b044c4d]
   #25 smbd(+0xea8a9) [0x7fa72dd1b8a9]
[2011/11/18 14:45:27.566759,  0] lib/util.c:1470(smb_panic)
  smb_panic(): calling panic action [/usr/share/samba/panic-action 15243]
[2011/11/18 14:45:27.786627,  0] lib/util.c:1478(smb_panic)
  smb_panic(): action returned status 0
[2011/11/18 14:45:27.786698,  0] lib/fault.c:326(dump_core)
  dumping core in /var/log/samba/cores/smbd

Here the smb.conf
#======================= Global Settings =======================
[global]
   workgroup = CAMPUS
   server string = %h server (Samba, Ubuntu)
   dns proxy = no
   log file = /var/log/samba/log.%m
   max log size = 1000
   syslog = 0
   panic action = /usr/share/samba/panic-action %d

security = server
password server = [removed for privacy]
   encrypt passwords = true
   passdb backend = tdbsam
   obey pam restrictions = yes
   invalid users = root
   unix password sync = yes
   passwd program = /usr/bin/passwd %u
   passwd chat = *Enter\snew\s*\spassword:* %n\n *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* .
   pam password change = yes
map to guest = bad user
   socket options = TCP_NODELAY
   usershare allow guests = yes

[printers]
   comment = All Printers
   browseable = no
   path = /var/spool/samba
   printable = yes
   guest ok = no
   read only = yes
   create mask = 0700

[print$]
   comment = Printer Drivers
   path = /var/lib/samba/printers
   browseable = yes
   read only = yes
   guest ok = no

[share1]
	comment = [removed for privarcy]
	path = [removed for privarcy]
	writeable = yes
	browseable = yes
	public = no
	delete readonly = yes

[homes] 
        comment = Home Directories
        writeable = Yes
        browseable = No
	delete readonly = yes

[share]
	comment = [removed for privarcy]
	path = [removed for privarcy]
	writeable = yes
	write list = [removed for privarcy]
	force group = [removed for privarcy]
	create mask = 0775
	force create mode = 0775
	directory mask = 2775
	force directory mode = 2775
	browseable = yes
	public = no
	delete readonly = yes
[temp]
	comment = [removed for privarcy]
	path = [removed for privarcy]
	writeable = no
	browseable = no
	public = yes

[share2]
	comment = [removed for privarcy]
	path = [removed for privarcy]
	writeable = yes
	create mask = 0775
	force create mode = 0775
	directory mask = 2775
	force directory mode = 2775
	browseable = yes
	public = no
	delete readonly = yes


TL;DR: samba uses server mode, and the panics seems to happen since an update on the authentication server. 
The samba server is an ubuntu lucid LTS w/ backports but samba 3.5 from natty (I hoped to fix this bug by updating, but it didn't help). The authentication server was a FreeBSD with samba 3.3.13 before and was now (physically) replaced by a FreeBSD 9 server with samba 3.6.1. The samba on the authentication server was manually compiled with LDAP-support, CUPS-support, winbinds-support, acl-support, async-io-support and ipv6-support.