I have a patch on the list to eliminate this smb.conf option, as currently 'samba-tool' is treated as NT4 (because it is remote arch 'unknown') and so produces a different NT ACL for the hash compared with what a connected client will read and write.
(of course, we could just set the global variable in samba-tool, or force the smb.conf option for the release).
Add this as a fix for 4.0.0.rc.next and I'll +1 it. I'm very happy to remove this old code for 4.0.0.
Patches for this are in master and are in the mega-patch on bug #9406 for 4.0
Should be fixed in Samba 4.0.0rc6.
Please feel free to re-open if it's still an issue.