Created attachment 6821 [details]
zip archive with various test results

... when running smbd 3.6.0 with encrypt passwords = no

I found that I can write files to the share, overwrite existing files,
but cannot rename or delete files (Access denied)

Test environment:
Slackware Linux 13.37 with a self-compiled stock 2.6.39 kernel
Clients:  Windows 2000+XP

Test sequence was:
Made connection to the share "diske".
Copied a file "samba-test.txt" successfully to the share.
Looked up the file properties, especially the security tabs.
Tried to rename and/or delete the file, got access denied.

The attached file contains:
Complete smb.conf
Two screenshots of the security information
as seen from Windows
samba -d10 logfile 

The screenshots are in german, but I think one can see clearly
that not all boxes are ticked and all are greyed out.

Hi, Jeremy! This might be an ACL bug

Analysis of the Win7 -> Vista trace.

The operations on the Test.docx file are:

Packet                         Operation
----------------------------------------
228                            Create
                               ->Replies with batch oplock
242                            GetInfo : SEC_INFO_OO
                               -> Replies Buffer too small
245                            GetInfo : SEC_INFO_OO
                               -> Replies with security descriptor
292                            GetInfo : FILE_STREAM_INFO
                               -> Replies with ::$DATA stream only.
298                            Rename from Test.docx -> D3116FE.tmp
                               -> Replies with Rename succeeded.

As far as I can tell Test.docx still has a batch oplock and thus should reply with NT_STATUS_SHARING_VIOLATION.

Created attachment 6829 [details]
Patch for smb2.oplock test in smbtorture4

Here is a patch, which when added to master, will cause a new smb2.oplock.exclusive7 test which tries to reproduce the activities of the Win7 client against a Vista fileserver. Apply, then run smb2.oplock.

We still get NT_STATUS_SHARING_VIOLATION on the rename (and I don't see why :-( ).

Jeremy.

Hi Jeremy,

Could it be that you mixed up several bugs.?  ;-)

You are writing something about Windows Vista/7 and smb2 
what has nothing to do with my reported problem.

(In reply to comment #6)

I have now tried out the new version 3.6.1 and nothing has changed regarding this issue. 

J.Roderburg

Same here, samba 3.6.1 fix nothing

Created attachment 7089 [details]
my config file

to reproduct the bug

In my case, compiled by gentoo portage system with this use flags:
net-fs/samba-3.6.1  USE="aio client fam readline server smbclient -acl -addns -ads -avahi -caps -cluster -cups -debug -doc -examples -ldap -ldb -netapi -pam -quota -smbsharemodes -swat -syslog -winbind"

(In reply to comment #9)
> Created attachment 7089 [details]
> my config file
> 
> to reproduct the bug

Hmm, I see "encrypt passwords = yes" in your config file.
Strange, what I see, definitively correlates with "encrypt passwords = no".

J.Roderburg

Missconfiguration, fixing change nothing. I wish/have share configured without any passwd. One as read only, other as read/write.

Same bug for me.

Samba 3.6.1, file/directory rename or delete fault with ACCESS_DENY
Previous versions 3.5.8 works fine, same config.

Upgrade steps made by my:
1 - Works partition change from Ext3 to Ext4
2 - Install new 3.6.1 Samba

No other changes.

PS: May be it will help you!

Hello All

Some not good news!

I have rollback to Ext3 and Samba 3.5.8

Same fault! ACCESS DENY while rename or delete.

Only once I can't rollback - OS.

This configuration works on CentOS 5.5, And not works on Ubuntu 10.04.3 (2.6.32-35-generic)

Will try rollback kernel...

Thanks

(In reply to comment #13)
> Same bug for me.
> 
> Samba 3.6.1, file/directory rename or delete fault with ACCESS_DENY
> Previous versions 3.5.8 works fine, same config.
> 
> Upgrade steps made by my:
> 1 - Works partition change from Ext3 to Ext4
> 2 - Install new 3.6.1 Samba
> 
> No other changes.
> 
> PS: May be it will help you!

At least it shows me that I am not the only person with this problem.

Now if we only could get the developers' attention again to it.

(In reply to comment #14)
> Hello All
> 
> Some not good news!
> 
> I have rollback to Ext3 and Samba 3.5.8
> 
> Same fault! ACCESS DENY while rename or delete.
> 

When I encountered the problem the first time I was also not possible to return to a working 3.5.x version until I deleted the files in samba-log-dir/locks (which I did later always before and after every new test).

Downgrade kernel to 2.6.32-33 not solved problem.
Downgrade more early kernel very strange coz' server remotely.

I found another solution for test purposes.

Edit src file /samba-3.6.1/source3/smbd/file_access.c

Make can_access_file_acl function return always 'true'.

Change line 74 'return ret;' to 'return true;'

Save

make; make install

Now Samba can delete or rename files/folders.

My resume: function can_access_file_acl wrong with file access permissions.

Yes, I agree idea about developers!

Hello Jeremy!!!

What do you thinking about it?

(In reply to comment #17)
> I found another solution for test purposes.
> 
> Edit src file /samba-3.6.1/source3/smbd/file_access.c
> 
> Make can_access_file_acl function return always 'true'.
> 
> Change line 74 'return ret;' to 'return true;'
> 

Wow, that's what I would call a strong hack.  ;-)

But, OTOH, the function looks like an interesting starting point for more research.

Ok, what I need to see is a debug level 10 with your hack applied showing the delete succeeding, and a debug level 10 without your hack, showing it failing.

I also need a getfacl output from the directory and the file you're trying to delete, as well as your smb.conf.

That might help track it down.

Jeremy.

Created attachment 7185 [details]
smbd_361orig_delete.log

Created attachment 7186 [details]
smbd_361pached_delete.log

Created attachment 7187 [details]
smbd_361orig_rename.log

Created attachment 7188 [details]
smbd_361pached_rename.log

#mount
/dev/sda4 on /mnt/public type ext3 (rw,nosuid,nodev,acl,user_xattr)

#ls -la /mnt
drwxr-xr-x  4 nobody nogroup      1024 2011-12-15 11:01 public

#ls -la /mnt/public
drwxr-xr-x 4 nobody nogroup   1024 2011-12-15 11:01 .
drwxr-xr-x 3 root   root      4096 2011-12-15 10:34 ..
drwx------ 2 nobody nogroup  12288 2011-12-15 10:43 lost+found
drwxr-xr-x 2 nobody nogroup   1024 2011-12-15 10:55 test_folder
-rwxr--r-- 1 nobody nogroup 220074 2011-12-15 11:00 test_img.bmp

Reproduce steps with original smbd
0 - start smbd: /home/dm/bin/samba3/sbin/smbd -s/opt/samba/smb.conf
1 - Open public share from WinXP sp3
2 - Rename test_img.bmp to qwerty.bmp
3 - Rename failed with access deny
Log: smbd_361orig_rename.log

Next, patch samba-3.6.1/source3/smbd/file_access.c, line 75, change "return ret;" to "return true;"
#make; make install

Reproduce steps with pached smbd
0 - start smbd: /home/dm/bin/samba3/sbin/smbd -s/opt/samba/smb.conf
1 - Open public share from WinXP sp3
2 - Rename test_img.bmp to qwerty.bmp
3 - Renamed!!!
Log: smbd_361pached_rename.log

Same was made with DELETE file test_img.bmp. Pached version remove test_img.bmp success, original smbd can't delete file - access deny.
Logs: smbd_361orig_delete.log and smbd_361pached_delete.log

#cat /opt/samba/smb.conf
[global]
pid directory = /opt/samba/run
lock directory = /opt/samba/cache
private dir = /opt/samba/cache
log file = /opt/samba/smbd.log
log level = 10
workgroup = TEST
security = share
show add printer wizard = no
max log size = 10240
bind interfaces only = true
interfaces = eth1

[homes]
browseable = no
printable = no

[public]
path = /mnt/public
comment = ""
read only = no
guest ok = yes
follow symlinks = no
writable = yes

I see now that Dmtry's configuration is different than mine.

He has the problem with security = share and
I have it with security = user and encrypt passwords = no

Therefore I have also made new d10 logfiles for the working and not-working case. The test situation is a bit simpler as with my first posted logfile, no Windows involved, I just made (on the Linux server host) a smbclient connection + dir + rm.

Created attachment 7189 [details]
zip file with configuration and test results

Hello Jeremy.

May be it is depend on kernel version?

Coz configuration of: samba, mount partition, fs type, permissions was same for my old CentOS 5.5 and new Ubuntu 10.04.3

But with CentOS works fine, with Ubuntu have troubles with permissions, acl or something else.

I has tested 3.5.8 version and 3.6.1 on Ubuntu - same troubles - access denied.

Thank you.

(In reply to comment #27)
> Hello Jeremy.
> 
> May be it is depend on kernel version?
> 
> Coz configuration of: samba, mount partition, fs type, permissions was same for
> my old CentOS 5.5 and new Ubuntu 10.04.3
> 
> But with CentOS works fine, with Ubuntu have troubles with permissions, acl or
> something else.
> 
> I has tested 3.5.8 version and 3.6.1 on Ubuntu - same troubles - access denied.
> 
> Thank you.

Here not depands of kernel version. Not depands here of use flags on gentoo. Switch to samba 3.5 work, switch to 3.6 not work, re-switch to 3.5 work, re-switch to 3.6 not work...

Add me to the list. Recently upgraded to 3.6.1, Debian testing, same problem with file rename. I had to set "force user = root" for the shares showing the problem.

Ok, looking at the smbd_361orig_delete.log carefully. Here is the users token:

Windows version:

  Security token SIDs (5):
    SID[  0]: S-1-22-1-65534
    SID[  1]: S-1-22-2-65534
    SID[  2]: S-1-1-0
    SID[  3]: S-1-5-2
    SID[  4]: S-1-5-32-546

UNIX version:

  UNIX token of user 65534
  Primary group is 65534 and contains 1 supplementary groups
  Group[  0]: 65534

The permissions on file test_img.bmp are:

  canon_ace index 0. Type = allow SID = S-1-5-21-251563815-16092371-1107951384-501 uid 65534 (nobody) SMB_ACL_USER_OBJ ace_flags = 0x0 perms rwx
  canon_ace index 1. Type = allow SID = S-1-22-2-65534 gid 65534 (nogroup) SMB_ACL_GROUP_OBJ ace_flags = 0x0 perms r-x
  canon_ace index 2. Type = allow SID = S-1-1-0 other SMB_ACL_OTHER ace_flags = 0x0 perms r-x

So the problem is that the "nobody" user is mapped into SID S-1-5-21-251563815-16092371-1107951384-501 when looking up ACL entries, but is mapped into S-1-22-1-65534 in the Windows token attached to the process.

OK, S-5-1-21-<DOMAIN ID>-501 (RID of 501) is the hard coded "Guest" account in the given domain.

So the real question here is why the "guest" account isn't getting an authentication map to S-5-1-21-<DOMAIN ID>-501 on account lookup on login, but is being left as S-1-22-1-65534 (UNIX uid mapping) ?

Jeremy.

Good question.

I my system no one user with UID 501

But in sources i found that

#pwd
/home/dm/bin/samba-3.6.1

#grep 501 */*/*/*.h
...
source3/librpc/gen_ndr/security.h:#define DOMAIN_RID_GUEST	( 501 )
...

May be DOMAIN_RID_GUEST was used?

Yes, DOMAIN_RID_GUEST was used in the ACL mapping, that's what I'm saying. The problem is that SID isn't in the associated user token, which is why you're getting ACCESS_DENIED for guest. We need to figure out why this isn't being mapped in the authentication code.

Jeremy.

What user are you logging into this box with ?

Testing v3-5-test and in my smb.conf I have:

map to guest = bad user
guest user = nobody
guest ok = true

and when I log in with an unknown user I get:

  NT user token of user S-1-5-21-3916860526-1045206939-2130759105-501
  contains 6 SIDs
  SID[  0]: S-1-5-21-3916860526-1045206939-2130759105-501
  SID[  1]: S-1-22-2-65534
  SID[  2]: S-1-1-0
  SID[  3]: S-1-5-2
  SID[  4]: S-1-5-32-546
  SID[  5]: S-1-22-1-65534
  SE_PRIV  0x0 0x0 0x0 0x0
[2011/12/20 12:54:35.514929,  5] auth/token_util.c:551(debug_unix_user_token)
  UNIX token of user 65534
  Primary group is 65534 and contains 1 supplementary groups
  Group[  0]: 65534

Which is the correct mapping (it contains both the 501 domain RID and also the S-1-22-1-65534 and S-1-22-1-65534 mappings).

I don't see how you are getting a login without the S-1-5-21-<domain id>-501 mapping.

Jeremy.

I'm logging as user 'dm'

#id dm
uid=1000(dm) gid=1000(dm) groups=1000(dm),4(adm),20(dialout),24(cdrom),46(plugdev),105(lpadmin),119(admin),122(sambashare)

then... becomes root
#sudo su -

and then run samba as root
/home/dm/bin/samba3/sbin/smbd -s/opt/samba/smb.conf

May be Im wrong?

What can I do to help?

I meant what user are you logging onto the Samba share with from the *Windows* box, not the Linux side of things ?

What I'm trying to understand is why the mapping to guest on Windows user logon to the share isn't adding the RID 501 user to the process token.

Jeremy.

I open share from Windows XP. Share opens without prompt to enter user/passwd information.

I think, as guest.

(In reply to comment #35)
> I meant what user are you logging onto the Samba share with from the *Windows*
> box, not the Linux side of things ?
> 
> What I'm trying to understand is why the mapping to guest on Windows user logon
> to the share isn't adding the RID 501 user to the process token.
> 

Hi Jeremy,

I would like to remind you that Dmtry's case was with security=share, so there are no visible user names involved on Windows.
And I think you know better, how this case is handled internally by Windows.

The general question, if perhaps some necessary rights got lost internally in the connection setup in Samba, could also be applicable to *my* variant of the problem.

I think I'm also affected by this bug.

I created a guest-writable share, security=share. guest account maps to nobody.

On filesystem layer, user nobody is the owner of all files and directories in the shared folder and has all needed permissions.

After the update to samba-3.6.3, I can only upload files to this directory. When I try to rename/delete the files, I get "access denied".

With 3.5.12, everything worked correctly.

Will attach smb.conf.

If you need logs, don't hesitate to ask :-)

Created attachment 7278 [details]
smb.conf

Please attach debug level 10 logs whilst trying to delete a file using smbclient.

Thanks !

Jeremy.

Created attachment 7279 [details]
samba.test.log.gz when trying to rm test.txt

Complete samba log of:

# /etc/init.d/samba start
# smbclient //127.0.0.1/upload
WARNING: The security=share option is deprecated
Enter root's password: 
Domain=[WORKGROUP] OS=[Unix] Server=[Samba 3.6.3]
Server not using user level security and no password supplied.
smb: \> rm test.txt
NT_STATUS_ACCESS_DENIED deleting remote file \test.txt
NT_STATUS_ACCESS_DENIED listing \test.txt
smb: \> quit
# /etc/init.d/samba stop

At around line 6650, "test.txt" appears in the log...

On this system, user "nobody" has uid=gid=65534

I'm seeing the same issue with 3.6.1 (from pkg_add -r samba36) on amd64 FreeBSD 9.0.  I, too, have security=share, but I'm not forcing the user to nobody.  Downgrading to 3.5.11 fixed the issue.

[global]
   workgroup = MYGROUP
   server string = server
   security = share
   guest account = guest

   log file = /var/log/samba/log.%m
   max log size = 50

   dns proxy = no

[share]
   path = /mnt/disk
   public = yes
   guest ok = yes
   only guest = yes
   writable = yes
   force user = guest
   force group = guest
   printable = no

Created attachment 7597 [details]
samba.test.log.gz

Still doesn't work with samba-3.6.5. Trying to delete test.txt with smbclient like in the log above.


[global]
   workgroup = WORKGROUP
   server string = Sambashare
   security = share
   load printers = no
   guest account = nobody
   log file = /var/log/samba.test.log
   log level = 10
   max log size = 5000000
   dns proxy = no
   interfaces = lo
[homes]
   comment = Home Directories
   browseable = no
   writable = yes
[printers]
   comment = All Printers
   path = /var/spool/samba
   browseable = no
   guest ok = no
   writable = no
   printable = yes
[upload]
  path = /opt/share/upload_
  browseable = yes
  read only = no
  writeable = yes
  guest ok = yes

I've seen a similar issue, using 3.6.5, where

[global section]
map to guest = Bad User
guest account = nobody
guest only = No

[in a share]
public = yes
writeable = yes


Symptom is a 'guest' user (one who does not have an account on the linux samba server) can create and write files but can not delete (or rename).

This is fixed by adding to the global section:

acl check permissions = No

Something else interesting.  In testing this "fix" I noticed it was not good enough to just send SIGHUP to smbd, I had to kill the smbd process(es) and restart for change to this option to "take effect".

Setting "acl check permissions" to "no" also worked for me.
So it seems to me as if this feature breaks proper guest access...

Florian 

(In reply to comment #44)
> I've seen a similar issue, using 3.6.5, where
> 
> [global section]
> map to guest = Bad User
> guest account = nobody
> guest only = No
> 
> [in a share]
> public = yes
> writeable = yes
> 
> 
> Symptom is a 'guest' user (one who does not have an account on the linux samba
> server) can create and write files but can not delete (or rename).
> 
> This is fixed by adding to the global section:
> 
> acl check permissions = No
> 
> Something else interesting.  In testing this "fix" I noticed it was not good
> enough to just send SIGHUP to smbd, I had to kill the smbd process(es) and
> restart for change to this option to "take effect".

That's fix here. But strange because here samba is with: --without-acl-support ...

(In reply to comment #44)

> 
> Symptom is a 'guest' user (one who does not have an account on the linux samba
> server) can create and write files but can not delete (or rename).
> 
> This is fixed by adding to the global section:
> 
> acl check permissions = No
> 

Fascinating ...   ;-)

Yes, with this setting I can also delete/rename again in my variant of the problem situation.

So it looks as if the error is somewhere in the evaluation of the access rights in the "open for delete",

With this setting we have of course then also the "surprising behaviour" which is mentioned in the description of the parameter, namely that in Windows you do not get an error message in the case that you "really" have no rights to delete, the file just does not disappear.

(In reply to comment #46)
> That's fix here. But strange because here samba is with: --without-acl-support
> ...

Well, I think this source configure parameter is about extended acl support in the underlying filesystem which is served by samba.

The runtime configuration paarameter is about samba file system acls that (Windows) clients see.

Created attachment 7665 [details]
samba log file

Created attachment 7666 [details]
samba configuration file

We have the same "problem" on our systems.

BUT: this only happens on Windows 7 (maybe w2k8 also) and NOT on Windows XP
(SP3) machines.

Server is SLES 11 SP1 (samba 3.4.3) - yesterday upgraded to SP2 (with samba
3.6.3)
Before that we have  HP-UX with 3.0.23 with no probs.

smb.conf==> security = ADS

we are working with a workaround on the share:
"force group = ourlocalunixgroup"

nearby the log files.

(In reply to comment #51)
> We have the same "problem" on our systems.
> 
> BUT: this only happens on Windows 7 (maybe w2k8 also) and NOT on Windows XP
> (SP3) machines.
> 
> Server is SLES 11 SP1 (samba 3.4.3) - yesterday upgraded to SP2 (with samba
> 3.6.3)
> Before that we have  HP-UX with 3.0.23 with no probs.
> 
> smb.conf==> security = ADS
> 
> we are working with a workaround on the share:
> "force group = ourlocalunixgroup"
> 
> nearby the log files.

It seems for some reason the SID assignment is wrong. In the token we have S-1-5-21-3808856800-3377253041-461491224-3007, in the ACL we see S-1-5-21-1263226945-3077904616-763750265-3007, which presumably might be denote the same object. Are you running winbind?

Hi Volker,

thanks for reply. You're right winbind is running (... but not any more)!
We stop winbind on our test machine - now its running fine. Next days we want to try that on our production machine (samba 3.4.3). I will report asap ...

I am seeing something like this bug also.  I just upgrade a computer from F14 to F16.

I think it's related to users and groups on the linux server.

I have a dir on the server like:

drwxr-x---. 13 samba samba    4096 Sep  5 10:21 Darlene/

On XP I can create a file and save to a file (contents stored ok), but not delete the file.

On Win7 I can save to a file but it doesn't save the contents, it only makes a zero byte file.  Can't save to existing files.

If I chmod g+w Darlene, so it is like:

drwxrwx---. 13 samba samba    4096 Sep  5 10:21 Darlene/

Then I can do all operations properly/normally on XP and Win7.

It's almost as though samba is for some things looking at the uid and some things looking at the gid.  It's really messed up.

With samba-3.6.5 I again have the same error as logged in comment #41 (was not able to workaround with "acl check permissions" set to false anymore).

So downgrading to samba 3.5 again...

Is there anything I can do to help with investigation? Is it the same bug as in comment #52?

I'm experiencing the same (or at least a similar) issue:

samba version:
- samba-3.6.6-88.fc16.i686 (official Fedora 16 package)
- "security = share"
- symptom: unable to delete any files
- "acl check permissions = no" made the issue disappear

If you need more debug, I'd be happy to provide it.

samba 3.6.10 allows me to delete/write again :-)

(no matter how acl check permissions is set)

(In reply to comment #57)
> samba 3.6.10 allows me to delete/write again :-)

For my variant of the problem (unencrypted passwords) version 3.6.10 did not change anything.

OTOH, this problem is now unprocessed so long, that I actually do not need this anymore.

This bug also appear in RHEL6 with the most current Samba in the repository (Version 3.6.9-151.el6).

Even if I remove the ACL's from a users file, he can not delete or rename his own files.

Only setting 'acl check permissions = false' will allow the user to delete his own files again.

(In reply to comment #59)
> This bug also appear in RHEL6 with the most current Samba in the repository
> (Version 3.6.9-151.el6).
> 
> Even if I remove the ACL's from a users file, he can not delete or rename his
> own files.
> 
> Only setting 'acl check permissions = false' will allow the user to delete his
> own files again.

I have a similar problem, except that I can do everything except rename or move a file/directory.

I can read, write, and delete.

Same version (On Centos 6.4).

(In reply to comment #59)
> This bug also appear in RHEL6 with the most current Samba in the repository
> (Version 3.6.9-151.el6).
> 
> Even if I remove the ACL's from a users file, he can not delete or rename his
> own files.
> 
> Only setting 'acl check permissions = false' will allow the user to delete his
> own files again.

The acl check permissions hack didn't work for me.

Log level 3 also doesn't log anything. Windows 7 says the file doesn't exist, as opposed to access denied, which is what XP says.

Log level 4 for the XP host is below:

2013/05/06 16:50:53.143127,  3] smbd/trans2.c:5255(call_trans2qfilepathinfo)
  call_trans2qfilepathinfo Backups/New folder (fnum = 14172) level=1004 call=7 total_data=0
[2013/05/06 16:50:53.146857,  3] smbd/process.c:1662(process_smb)
  Transaction 2321 of length 76 (0 toread)
[2013/05/06 16:50:53.146931,  3] smbd/process.c:1467(switch_message)
  switch message SMBtrans2 (pid 8024) conn 0x7f27607bad00
[2013/05/06 16:50:53.146978,  4] smbd/uid.c:351(change_to_user)
  Skipping user change - already user
[2013/05/06 16:50:53.147044,  3] smbd/trans2.c:5026(call_trans2qfilepathinfo)
  call_trans2qfilepathinfo: TRANSACT2_QFILEINFO: level = 1005
[2013/05/06 16:50:53.147120,  3] smbd/trans2.c:5255(call_trans2qfilepathinfo)
  call_trans2qfilepathinfo Backups/New folder (fnum = 14172) level=1005 call=7 total_data=0
[2013/05/06 16:50:53.150302,  3] smbd/process.c:1662(process_smb)
  Transaction 2322 of length 45 (0 toread)
[2013/05/06 16:50:53.150375,  3] smbd/process.c:1467(switch_message)
  switch message SMBclose (pid 8024) conn 0x7f27607bad00
[2013/05/06 16:50:53.150454,  4] smbd/uid.c:351(change_to_user)
  Skipping user change - already user
[2013/05/06 16:50:53.150530,  3] smbd/reply.c:4838(reply_close)
  close directory fnum=14172
[2013/05/06 16:50:53.151336,  3] smbd/process.c:1662(process_smb)
  Transaction 2323 of length 112 (0 toread)
[2013/05/06 16:50:53.151422,  3] smbd/process.c:1467(switch_message)
  switch message SMBmv (pid 8024) conn 0x7f27607bad00
[2013/05/06 16:50:53.151469,  4] smbd/uid.c:351(change_to_user)
  Skipping user change - already user
[2013/05/06 16:50:53.151543,  3] smbd/vfs.c:905(check_reduced_name)
  check_reduced_name [Backups/New folder] [/ByrneIT]
[2013/05/06 16:50:53.151611,  3] smbd/vfs.c:1039(check_reduced_name)
  check_reduced_name: Backups/New folder reduced to /ByrneIT/Backups/New folder
[2013/05/06 16:50:53.151747,  3] smbd/vfs.c:905(check_reduced_name)
  check_reduced_name [Backups/Test] [/ByrneIT]
[2013/05/06 16:50:53.151855,  3] smbd/vfs.c:1039(check_reduced_name)
  check_reduced_name: Backups/Test reduced to /ByrneIT/Backups/Test
[2013/05/06 16:50:53.151911,  3] smbd/reply.c:6699(reply_mv)
  reply_mv : Backups/New folder -> Backups/Test
[2013/05/06 16:50:53.151992,  3] smbd/reply.c:6348(rename_internals)
  rename_internals: case_sensitive = 0, case_preserve = 1, short case preserve = 1, directory = Backups/New folder, newname = Backups/Test, last_component_dest = Test
[2013/05/06 16:50:53.152115,  3] smbd/vfs.c:905(check_reduced_name)
  check_reduced_name [Backups/Test] [/ByrneIT]
[2013/05/06 16:50:53.152201,  3] smbd/vfs.c:1039(check_reduced_name)
  check_reduced_name: Backups/Test reduced to /ByrneIT/Backups/Test
[2013/05/06 16:50:53.152284,  3] smbd/reply.c:6244(rename_internals_fsp)
  rename_internals_fsp: Error NT_STATUS_ACCESS_DENIED rename Backups/New folder -> Backups/Test
[2013/05/06 16:50:53.152387,  3] smbd/reply.c:6412(rename_internals)
  rename_internals: Error NT_STATUS_ACCESS_DENIED rename Backups/New folder -> Backups/Test
[2013/05/06 16:50:53.152471,  3] smbd/error.c:81(error_packet_set)
  error packet at smbd/reply.c(6709) cmd=7 (SMBmv) NT_STATUS_ACCESS_DENIED
[2013/05/06 16:50:53.154956,  3] smbd/process.c:1662(process_smb)
  Transaction 2324 of length 118 (0 toread)
[2013/05/06 16:50:53.155021,  3] smbd/process.c:1467(switch_message)
  switch message SMBtrans2 (pid 8024) conn 0x7f27607bad00
[2013/05/06 16:50:53.155077,  4] smbd/uid.c:351(change_to_user)
  Skipping user change - already user
[2013/05/06 16:50:53.155144,  3] smbd/trans2.c:5111(call_trans2qfilepathinfo)
  call_trans2qfilepathinfo: TRANSACT2_QPATHINFO: level = 1004
[2013/05/06 16:50:53.155202,  3] smbd/vfs.c:905(check_reduced_name)
  check_reduced_name [Backups/New folder] [/ByrneIT]
[2013/05/06 16:50:53.155277,  3] smbd/vfs.c:1039(check_reduced_name)
  check_reduced_name: Backups/New folder reduced to /ByrneIT/Backups/New folder
[2013/05/06 16:50:53.155348,  3] smbd/trans2.c:5255(call_trans2qfilepathinfo)
  call_trans2qfilepathinfo Backups/New folder (fnum = -1) level=1004 call=5 total_data=0
[2013/05/06 16:50:53.155826,  3] smbd/process.c:1662(process_smb)
  Transaction 2325 of length 118 (0 toread)
[2013/05/06 16:50:53.155899,  3] smbd/process.c:1467(switch_message)
  switch message SMBtrans2 (pid 8024) conn 0x7f27607bad00
[2013/05/06 16:50:53.155946,  4] smbd/uid.c:351(change_to_user)
  Skipping user change - already user
[2013/05/06 16:50:53.156003,  3] smbd/trans2.c:5111(call_trans2qfilepathinfo)
  call_trans2qfilepathinfo: TRANSACT2_QPATHINFO: level = 1004
[2013/05/06 16:50:53.156060,  3] smbd/vfs.c:905(check_reduced_name)
  check_reduced_name [Backups/New folder] [/ByrneIT]
[2013/05/06 16:50:53.156115,  3] smbd/vfs.c:1039(check_reduced_name)
  check_reduced_name: Backups/New folder reduced to /ByrneIT/Backups/New folder
[2013/05/06 16:50:53.156175,  3] smbd/trans2.c:5255(call_trans2qfilepathinfo)
  call_trans2qfilepathinfo Backups/New folder (fnum = -1) level=1004 call=5 total_data=0
[2013/05/06 16:50:55.327949,  3] smbd/process.c:1662(process_smb)
  Transaction 2326 of length 96 (0 toread)
[2013/05/06 16:50:55.328072,  3] smbd/process.c:1467(switch_message)
  switch message SMBtrans2 (pid 8024) conn 0x7f27607bad00
[2013/05/06 16:50:55.328173,  4] smbd/uid.c:351(change_to_user)
  Skipping user change - already user
[2013/05/06 16:50:55.328264,  3] smbd/trans2.c:5111(call_trans2qfilepathinfo)
  call_trans2qfilepathinfo: TRANSACT2_QPATHINFO: level = 1004
[2013/05/06 16:50:55.328369,  3] smbd/vfs.c:905(check_reduced_name)
  check_reduced_name [Backups] [/ByrneIT]
[2013/05/06 16:50:55.328456,  3] smbd/vfs.c:1039(check_reduced_name)
  check_reduced_name: Backups reduced to /ByrneIT/Backups
[2013/05/06 16:50:55.328584,  3] smbd/trans2.c:5255(call_trans2qfilepathinfo)
  call_trans2qfilepathinfo Backups (fnum = -1) level=1004 call=5 total_data=0
[2013/05/06 16:50:55.329174,  3] smbd/process.c:1662(process_smb)
  Transaction 2327 of length 124 (0 toread)
[2013/05/06 16:50:55.329241,  3] smbd/process.c:1467(switch_message)
  switch message SMBtrans2 (pid 8024) conn 0x7f27607bad00
[2013/05/06 16:50:55.329305,  4] smbd/uid.c:351(change_to_user)
  Skipping user change - already user
[2013/05/06 16:50:55.329381,  3] smbd/trans2.c:2286(call_trans2findfirst)
  call_trans2findfirst: dirtype = 16, maxentries = 1366, close_after_first=1, close_if_end = 1 requires_resume_key = 1 level = 0x104, max_data_bytes = 16384
[2013/05/06 16:50:55.329480,  3] smbd/vfs.c:905(check_reduced_name)
  check_reduced_name [Backups/New folder] [/ByrneIT]
[2013/05/06 16:50:55.329552,  3] smbd/vfs.c:1039(check_reduced_name)
  check_reduced_name: Backups/New folder reduced to /ByrneIT/Backups/New folder
[2013/05/06 16:50:55.329630,  3] smbd/vfs.c:905(check_reduced_name)
  check_reduced_name [Backups] [/ByrneIT]
[2013/05/06 16:50:55.329699,  3] smbd/vfs.c:1039(check_reduced_name)
  check_reduced_name: Backups reduced to /ByrneIT/Backups
[2013/05/06 16:50:55.329787,  3] smbd/dir.c:578(dptr_create)
  creating new dirptr 256 for path Backups, expect_close = 1
[2013/05/06 16:50:55.329860,  4] smbd/trans2.c:2439(call_trans2findfirst)
  dptr_num is 256, wcard = New folder, attr = 22
[2013/05/06 16:50:55.329967,  3] smbd/dir.c:1041(smbd_dirptr_get_entry)
  smbd_dirptr_get_entry mask=[New folder] found Backups/New folder fname=New folder (New folder)
[2013/05/06 16:50:55.330075,  4] smbd/dir.c:257(dptr_close_internal)
  closing dptr key 256
[2013/05/06 16:50:55.330162,  4] smbd/trans2.c:2549(call_trans2findfirst)
  SMBtrans2 mask=New folder directory=Backups dirtype=22 numentries=1
[2013/05/06 16:50:55.331070,  3] smbd/process.c:1662(process_smb)
  Transaction 2328 of length 118 (0 toread)
[2013/05/06 16:50:55.331135,  3] smbd/process.c:1467(switch_message)
  switch message SMBtrans2 (pid 8024) conn 0x7f27607bad00
[2013/05/06 16:50:55.331182,  4] smbd/uid.c:351(change_to_user)
  Skipping user change - already user
[2013/05/06 16:50:55.331250,  3] smbd/trans2.c:5111(call_trans2qfilepathinfo)
  call_trans2qfilepathinfo: TRANSACT2_QPATHINFO: level = 1004
[2013/05/06 16:50:55.331316,  3] smbd/vfs.c:905(check_reduced_name)
  check_reduced_name [Backups/New folder] [/ByrneIT]
[2013/05/06 16:50:55.331382,  3] smbd/vfs.c:1039(check_reduced_name)
  check_reduced_name: Backups/New folder reduced to /ByrneIT/Backups/New folder
[2013/05/06 16:50:55.331442,  3] smbd/trans2.c:5255(call_trans2qfilepathinfo)
  call_trans2qfilepathinfo Backups/New folder (fnum = -1) level=1004 call=5 total_data=0
[2013/05/06 16:50:55.332045,  3] smbd/process.c:1662(process_smb)
  Transaction 2329 of length 118 (0 toread)
[2013/05/06 16:50:55.332109,  3] smbd/process.c:1467(switch_message)
  switch message SMBtrans2 (pid 8024) conn 0x7f27607bad00
[2013/05/06 16:50:55.332156,  4] smbd/uid.c:351(change_to_user)
  Skipping user change - already user
[2013/05/06 16:50:55.332223,  3] smbd/trans2.c:5111(call_trans2qfilepathinfo)
  call_trans2qfilepathinfo: TRANSACT2_QPATHINFO: level = 1004
[2013/05/06 16:50:55.332279,  3] smbd/vfs.c:905(check_reduced_name)
  check_reduced_name [Backups/New folder] [/ByrneIT]
[2013/05/06 16:50:55.332345,  3] smbd/vfs.c:1039(check_reduced_name)
  check_reduced_name: Backups/New folder reduced to /ByrneIT/Backups/New folder
[2013/05/06 16:50:55.332441,  3] smbd/trans2.c:5255(call_trans2qfilepathinfo)
  call_trans2qfilepathinfo Backups/New folder (fnum = -1) level=1004 call=5 total_data=0
[2013/05/06 16:50:58.440343,  3] smbd/process.c:1662(process_smb)
  Transaction 2330 of length 43 (0 toread)
[2013/05/06 16:50:58.440518,  3] smbd/process.c:1467(switch_message)
  switch message SMBulogoffX (pid 8024) conn 0x0
[2013/05/06 16:50:58.440590,  4] smbd/sec_ctx.c:314(set_sec_ctx)
  setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0
[2013/05/06 16:50:58.440697,  3] smbd/reply.c:2096(reply_ulogoffX)
  ulogoffX vuid=102
[2013/05/06 16:50:58.441359,  3] smbd/process.c:1662(process_smb)
  Transaction 2331 of length 39 (0 toread)
[2013/05/06 16:50:58.441435,  3] smbd/process.c:1467(switch_message)
  switch message SMBtdis (pid 8024) conn 0x7f27607f7e50
[2013/05/06 16:50:58.441505,  4] smbd/sec_ctx.c:314(set_sec_ctx)
  setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0
[2013/05/06 16:50:58.441577,  4] smbd/vfs.c:780(vfs_ChDir)
  vfs_ChDir to /tmp
[2013/05/06 16:50:58.441654,  4] smbd/sec_ctx.c:314(set_sec_ctx)
  setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0
[2013/05/06 16:50:58.441743,  3] smbd/service.c:1378(close_cnum)
  tbyrnes-vm (172.21.42.150) closed connection to service IPC$
[2013/05/06 16:50:58.441831,  3] smbd/connection.c:35(yield_connection)
  Yielding connection to IPC$
[2013/05/06 16:50:58.441933,  4] smbd/vfs.c:780(vfs_ChDir)
  vfs_ChDir to /
[2013/05/06 16:50:58.442000,  4] smbd/sec_ctx.c:314(set_sec_ctx)
  setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0

One last thing: The user can log in using ssh, be in the directory, and mv works fine:

[ZAPHODB+tomb@krikkit Backups]$ ls
20121012LindaC  New folder  Quicken  Toms Archives
[ZAPHODB+tomb@krikkit Backups]$ ls -las
total 24
4 drwxrwsr-x.  6 tsadmin ZAPHODB+domain users  4096 May  5 21:52 .
4 drwxrwsrwx.  6 tsadmin ZAPHODB+domain admins 4096 May  5 12:08 ..
4 drwxrwsr-x. 15 tsadmin ZAPHODB+domain users  4096 Oct 12  2012 20121012LindaC
4 drwxrwsrwx   2 tsadmin ZAPHODB+domain users  4096 May  6 17:57 New folder
4 drwxrwsr-x.  4 tsadmin ZAPHODB+domain users  4096 Apr 13 16:14 Quicken
4 drwxrwsr-x.  6 tsadmin ZAPHODB+domain users  4096 Aug 18  2011 Toms Archives
[ZAPHODB+tomb@krikkit Backups]$ mv New\ folder/ BadFolder
[ZAPHODB+tomb@krikkit Backups]$ ls -las
total 24
4 drwxrwsr-x.  6 tsadmin ZAPHODB+domain users  4096 May  6 18:03 .
4 drwxrwsrwx.  6 tsadmin ZAPHODB+domain admins 4096 May  5 12:08 ..
4 drwxrwsr-x. 15 tsadmin ZAPHODB+domain users  4096 Oct 12  2012 20121012LindaC
4 drwxrwsrwx   2 tsadmin ZAPHODB+domain users  4096 May  6 17:57 BadFolder
4 drwxrwsr-x.  4 tsadmin ZAPHODB+domain users  4096 Apr 13 16:14 Quicken
4 drwxrwsr-x.  6 tsadmin ZAPHODB+domain users  4096 Aug 18  2011 Toms Archives
[ZAPHODB+tomb@krikkit Backups]$

(In reply to comment #62)
> One last thing: The user can log in using ssh, be in the directory, and mv
> works fine:
> 
> [ZAPHODB+tomb@krikkit Backups]$ ls
> 20121012LindaC  New folder  Quicken  Toms Archives
> [ZAPHODB+tomb@krikkit Backups]$ ls -las
> total 24
> 4 drwxrwsr-x.  6 tsadmin ZAPHODB+domain users  4096 May  5 21:52 .
> 4 drwxrwsrwx.  6 tsadmin ZAPHODB+domain admins 4096 May  5 12:08 ..
> 4 drwxrwsr-x. 15 tsadmin ZAPHODB+domain users  4096 Oct 12  2012 20121012LindaC
> 4 drwxrwsrwx   2 tsadmin ZAPHODB+domain users  4096 May  6 17:57 New folder
> 4 drwxrwsr-x.  4 tsadmin ZAPHODB+domain users  4096 Apr 13 16:14 Quicken
> 4 drwxrwsr-x.  6 tsadmin ZAPHODB+domain users  4096 Aug 18  2011 Toms Archives
> [ZAPHODB+tomb@krikkit Backups]$ mv New\ folder/ BadFolder
> [ZAPHODB+tomb@krikkit Backups]$ ls -las
> total 24
> 4 drwxrwsr-x.  6 tsadmin ZAPHODB+domain users  4096 May  6 18:03 .
> 4 drwxrwsrwx.  6 tsadmin ZAPHODB+domain admins 4096 May  5 12:08 ..
> 4 drwxrwsr-x. 15 tsadmin ZAPHODB+domain users  4096 Oct 12  2012 20121012LindaC
> 4 drwxrwsrwx   2 tsadmin ZAPHODB+domain users  4096 May  6 17:57 BadFolder
> 4 drwxrwsr-x.  4 tsadmin ZAPHODB+domain users  4096 Apr 13 16:14 Quicken
> 4 drwxrwsr-x.  6 tsadmin ZAPHODB+domain users  4096 Aug 18  2011 Toms Archives
> [ZAPHODB+tomb@krikkit Backups]$

It turned out to be the client. Another Windows 7 client could do this fine. Changing the packet signing requirements in group policy to not require, and to allow ntlmv2, on the problem client solved the problem.

I'm using CentOS 6.5 (Final) x64 and samba 3.6.9 (or I think so)
I had same bug only and if only force user (and group) is nobody.
So when I share a folder and set 
        force user = nobody
        force group = nobody
I can create and overwrite file/folder, but cannot rename and delete those file(s)/directory(ies).

Again, it's solved with configuring
        acl check permissions = False