Sysadmin fixed the ACLs (there were two sets of entries, apparently, which confused the process for a while), and now the machine is up and running with Jenkins on port 8080. I tried moving it to port 80, but was prevented by the Ubuntu rule which won't allow a service not running as root to run on a port below 1024 (and we definitely don't want Jinks running as root). So I may end up running Apache just so I can proxy it to port 80. Seems like overkill, but there doesn't seem to be an alternative solution.
I'm going to run the two machines side by side until I come back from vacation, so we can make sure the new one is stable before we switch to it and bring down the old one.