samba - Mar 2004 - Problem with ACLs after upgrade to 3.02

I'm trying to work out an upgrade path for upgrading our 2.2.8a 
servers to 3.x, and have run into the following problem. (surely 
someone has documented this?!)

Freshly loaded Mandrake 9.2 server using XFS with ACL 
support. Samba 3.0.2a compiled with:

--with-winbind --with-acl-support --with-quotas

The stock 2.2.8a Mandrake RPMS were installed and tested 
first. Then the binaries from 3.0.2a were copied over. After 
adjusting for different conf and var locations, 3.0.2a starts 
successfully, and testparm shows the smb.conf to be ok. Re-
joining the domain using net join worked fine.
Can connect as domain admin to a share to which domain 
admins are designated "admin user". 
I can successfully edit existing permissions for 
user,group,other from Win2K. But any operations (from win2k 
client) which attempt to add an ACL for a domain user or group 
to a file fail with 'access denied'. In addition, attempting to add 
permissions for a local unix user or group show an empty list - 
just "everyone".

The above operations work on 2.2.8a using the same config, 
with the exception of the recursive permissions problem I 
reported earlier (to which nobody responded, making me 
wonder if anyone else actually uses ACLs for domain accounts 
on samba...).

Here's the conf file:

[global]
	hosts allow = 10. 139.142.66. 127.
	winbind uid = 10000-20000
	max xmit = 65535
	allow hosts = 139.142.66. 10.
	dns proxy = no
	netbios name = PROXY4
	oplocks = yes
	inherit permissions = yes
	workgroup = SHAWNIGAN
	debug level = 3
	security = domain
	getwd cache = yes
	winbind separator = +
	log level = 10
	read raw = yes
	write raw = yes
	socket options = TCP_NODELAY IPTOS_LOWDELAY 
SO_RCVBUF=16384 SO_SNDBUF=16384
	wins server = 139.142.66.1
	create mask = 0700
	domain master = no
	map to guest = never
	null passwords = no
	encrypt passwords = yes
	template shell = /bin/false
	dead time = 0
	password level = 0
	server string = Proxy Server
	password server = *
	winbind enum users = yes
	winbind gid = 10000-20000
	unix password sync = no
	winbind enum groups = yes
	directory mask = 0700
	preferred master = no

[home]
    comment = Homes
    browseable = yes
    writable = yes
    available = yes
    public = no
    only user = no
    path=/home     
    valid users = @"shawnigan+domain admins"
    admin users = @"shawnigan+domain admins"

[sysroot]
	comment = sysroot
	valid users = @"shawnigan+domain admins"
        admin users = @"shawnigan+domain admins"
	writeable = yes
	path = /
	allow hosts = 139.142.66.




-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Shawn Wright, I.T. Manager
Shawnigan Lake School
http://www.sls.bc.ca
swright@sls.bc.ca