ntacl sysvolreset does not create correct ACL's

[steve]

Hi I posted this problem on the samba list but did not get a reply. Can 
anyone here help/comment to clarify the situation?
Thanks,
Steve
--------------------------
<message sent to samba list>
Hi
Version 4.1.0pre1-GIT-957f9fa
openSUSE 12.2

After running samba-tool ntaclreset These are the ACE's produced:
getfacl sysvol/
# file: sysvol/
# owner: root
# group: wheel
# flags: s--
user::rwx
user:root:rwx
group::r--
group:wheel:r--
group:3000000:r--
group:3000001:r--
group:3000002:r--
mask::rwx
other::---

I got the group names from wbinfo. The group numbers correspond to:
3000000 BUILTIN\Server Operators 4
3000001 NT AUTHORITY\SYSTEM 5
3000002 NT AUTHORITY\Authenticated Users 5

Problem: GPO's do not work. I think this is due to the r-- only ACE. 
Users, authenticated or not do not have access to sysvol to be able to 
read the GPO's because of the r--
I changed the ACL by adding an r-x and rwx after comparing what a 
working installation on Ubuntu gave:
# file: usr/local/samba/var/locks/sysvol/
# owner: root
# group: wheel
# flags: s--
user::rwx
user:root:rwx
group::r-x
group:wheel:r-x
group:3000000:r-x
group:3000001:rwx
group:3000002:r-x
mask::rwx
other::r-x
default:user::rwx
default:group::r-x
default:group:3000000:r-x
default:group:3000001:rwx
default:group:3000002:r-x
default:mask::rwx
default:other::---

and now the GPO's work again. However, running sysvolreset returns the 
ACL to the r-- state.

I tested this on Ubuntu where sysvolreset works fine, producing r-x and 
rwx ACE's in the correct place. I think the problem must be distro 
specific. Works for Ubuntu, not for openSUSE.

Is there something in the script which makes it distro dependent? I 
notice Ubuntu uses different owning groups (adm Ubuntu, wheel, openSUSE)?