diff -Nurp samba310-basis/source/smbd/nttrans.c smb-patch/source/smbd/nttrans.c
--- samba310-basis/source/smbd/nttrans.c	Wed Dec 15 09:33:17 2004
+++ smb-patch/source/smbd/nttrans.c	Thu Jan 13 16:11:27 2005
@@ -1415,11 +1429,26 @@ static int call_nt_transact_create(conne
 	 * Now try and apply the desired SD.
 	 */
 
-	if (lp_nt_acl_support(SNUM(conn)) && sd_len &&
-			!NT_STATUS_IS_OK(status = set_sd( fsp, data, sd_len, ALL_SECURITY_INFORMATION))) {
-		close_file(fsp,False);
-		restore_case_semantics(conn, file_attributes);
-		return ERROR_NT(status);
+   /*
+    *   According to the M$ documentation, the only time the security
+    *   descriptor is applied to the opened file is iff we *created* the
+    *   file; an existing file stays the same.
+    *
+    *   Also, it seems (from observation) that you can open the file with
+    *   any access mask but you can still write the sd. We need to override
+    *   the granted access before we call set_sd
+    */
+   if (lp_nt_acl_support(SNUM(conn)) && sd_len && smb_action == FILE_WAS_CREATED) {
+      uint32 saved_access = fsp->desired_access;
+
+      fsp->desired_access = FILE_GENERIC_ALL;
+      
+      if (!NT_STATUS_IS_OK(status = set_sd( fsp, data, sd_len, ALL_SECURITY_INFORMATION))) {
+         close_file(fsp,False);
+         restore_case_semantics(conn, file_attributes);
+         return ERROR_NT(status);
+      }
+      fsp->desired_access = saved_access;
 	}
 	
 	restore_case_semantics(conn, file_attributes);