Samba4 domain controller, group policy processing fails, gpupdate fails

I'm using a Samba4 domain controller, and on the machines joined to the domain I'm seeing this message:

The processing of Group Policy failed. Windows attempted to read the file \\mydomain.org\sysvol\mydomain.org\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\gpt.ini from a domain controller and was not successful. Group Policy settings may not be applied until this event is resolved. This issue may be transient and could be caused by one or more of the following: 
a) Name Resolution/Network Connectivity to the current domain controller. 
b) File Replication Service Latency (a file created on another domain controller has not replicated to the current domain controller). 
c) The Distributed File System (DFS) client has been disabled.

Running gpupdate gives me the same error. If I open the run box and type notepad \\mydomain.org\sysvol\mydomain.org\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\gpt.ini, I get Notepad opened up with the file in it. The contents are these:

[General]
Version=14

Clearly the file exists, and is accessible (by the domain administrator, anyway). The mydomain.org name resovles to the IP address of my domain controller. If I run GPRESULT /H GPReport.html, the resulting file says:

Group Policy Infrastructure failed due to the error listed below.

Access is denied. 

Note: Due to the GP Core failure, none of the other Group Policy components processed their policy. Consequently, status information for the other components is not available.

I've checked the ACL via smbcacls on the domain folder under the sysvol share, and got this output:

pi@dc-rpi1 ~ $ smbcacls //mydomain.org/sysvol mydomain.org -U [email protected]
Enter [email protected]'s password:
REVISION:1
CONTROL:SR|PD|DP
OWNER:MYDOMAIN\Administrator
GROUP:BUILTIN\Administrators
ACL:BUILTIN\Administrators:ALLOWED/OI|CI/FULL
ACL:BUILTIN\Server Operators:ALLOWED/OI|CI/READ
ACL:NT AUTHORITY\SYSTEM:ALLOWED/OI|CI/FULL
ACL:NT AUTHORITY\Authenticated Users:ALLOWED/OI|CI/READ

If I try to get the ACLs on the gpt.ini file itself, I get this:

pi@dc-rpi1 ~ $ smbcacls //mydomain.org/sysvol mydomain.org/Policies/{31B2F340-016D-11D2-945F-00C04FB984F9}/gpt.ini -U [email protected]
Enter [email protected]'s password:
REVISION:1
CONTROL:SR|PD|DP
OWNER:MYDOMAIN\Domain Admins
GROUP:MYDOMAIN\Domain Admins
ACL:MYDOMAIN\Domain Admins:ALLOWED/OI|CI/FULL
ACL:MYDOMAIN\Enterprise Admins:ALLOWED/OI|CI/FULL
ACL:CREATOR OWNER:ALLOWED/OI|CI|IO/FULL
ACL:MYDOMAIN\Domain Admins:ALLOWED/OI|CI/FULL
ACL:NT AUTHORITY\SYSTEM:ALLOWED/OI|CI/FULL
ACL:NT AUTHORITY\Authenticated Users:ALLOWED/OI|CI/READ
ACL:NT AUTHORITY\ServerLogon:ALLOWED/OI|CI/READ

Why won't group policy processing work? Are the ACLs not working because my DC isn't running the right filesystem, or some other obscure configuration problem?