In smbd/posix_acls.c, can_delete_file_in_directory() returns "True" without checking if a user has write permission, if a directory has the sticky bit set and owned by the user. If the directory has the sticky bit set, any user can open all files with DELETE_ACCESS access mask in the directory. This problem is NOT a security violation because acutual delete operation is failed by permission denied error, but confuses users in some cases.
Created attachment 1630 [details] proposed patch
Good catch ! Applied, thanks - will be in 3.0.22. Jeremy.