Steps to reproduce: * create a file * set RO DOS attribute on the file * try to open the file requesting MAXIMUM_ALLOWED permissions Result: NT_STATUS_ACCESS_DENIED smbd trips over this in open_file_ntcreate(): if (flags != O_RDONLY && file_existed && (!CAN_WRITE(conn) || IS_DOS_READONLY(existing_dos_attributes))) { DEBUG(5,("open_file_ntcreate: write access requested for " "file %s on read only %s\n", smb_fname_str_dbg(smb_fname), !CAN_WRITE(conn) ? "share" : "file" )); errno = EACCES; return NT_STATUS_ACCESS_DENIED; } I guess the problem is that smbd_calculate_maximum_allowed_access() doesn't take the RO attribute into account. Found as part of MR review https://gitlab.com/samba-team/samba/merge_requests/982
This bug was referenced in samba master: 12e0c579785b84a99ad6f1877aa1c45391aba60e c73d666e5abe8717a5ea333a6dae3619d9621d48 e3d883c0b1caf13596dc8a18a8a108e3e48e7543 5ed188e492cfca9fef9266aa66041726f3ab6de5 9da1e7a4041a9f4258e23e70230bd75c60c55490 169d8fe4a956c98da9558ccef9b1c90ea6a841e4 772319412df7804236e1cc06056474469bcdcb66
This requires VFS changes, so we can't easily backport this. As this has been an lingering around for quite some time, it doesn't seem to hurt many people. Closing the bug, Samba 4.18 will ship the fix.