Steps to reproduce: * create a file * set RO DOS attribute on the file * try to open the file requesting MAXIMUM_ALLOWED permissions Result: NT_STATUS_ACCESS_DENIED smbd trips over this in open_file_ntcreate(): if (flags != O_RDONLY && file_existed && (!CAN_WRITE(conn) || IS_DOS_READONLY(existing_dos_attributes))) { DEBUG(5,("open_file_ntcreate: write access requested for " "file %s on read only %s\n", smb_fname_str_dbg(smb_fname), !CAN_WRITE(conn) ? "share" : "file" )); errno = EACCES; return NT_STATUS_ACCESS_DENIED; } I guess the problem is that smbd_calculate_maximum_allowed_access() doesn't take the RO attribute into account. Found as part of MR review https://gitlab.com/samba-team/samba/merge_requests/982