diff --git a/winsup/cygwin/ChangeLog b/winsup/cygwin/ChangeLog
index db451fb35..0d533c222 100644
--- a/winsup/cygwin/ChangeLog
+++ b/winsup/cygwin/ChangeLog
@@ -1,3 +1,9 @@
+2007-09-17  Corinna Vinschen  <corinna@vinschen.de>
+
+	* fhandler.cc (fhandler_base::open): Partly revert change from
+	2007-08-24:  Call has_acls to avoid permission problems getting
+	a handle to a file on a remote share.  Add comment.
+
 2007-09-08  Brian Dessent  <brian@dessent.net>
 
 	* include/cygwin/config.h: Conditionalize inline __getreent()
diff --git a/winsup/cygwin/fhandler.cc b/winsup/cygwin/fhandler.cc
index dadb90e2d..c7ba078e1 100644
--- a/winsup/cygwin/fhandler.cc
+++ b/winsup/cygwin/fhandler.cc
@@ -551,7 +551,17 @@ fhandler_base::open (int flags, mode_t mode)
 
       /* If the file should actually be created and ntsec is on,
 	 set files attributes. */
-      if (allow_ntsec)
+      /* TODO: Don't remove the call to has_acls() unless there's a
+	 solution for the security descriptor problem on remote samba
+	 drives.  The local user SID is used in set_security_attribute,
+	 but the actual owner on the Samba share is the SID of the Unix
+	 account.  There's no transparent mapping between these accounts.
+	 And Samba has a strange behaviour when creating a file.  Apparently
+	 it *first*( creates the file, *then* it looks if the security
+	 descriptor matches.  The result is that the file gets created, but
+	 then NtCreateFile doesn't return a handle to the file and fails
+	 with STATUS_ACCESS_DENIED.  Go figure! */
+      if (allow_ntsec && has_acls ())
 	{
 	  set_security_attribute (mode, &sa, sd);
 	  attr.SecurityDescriptor = sa.lpSecurityDescriptor;