OS X Lion in Active Directory - disable default shares?

Question

Level 1

80 points

OS X Lion in Active Directory - disable default shares?

I have an iMac running Lion (10.7.3) which is joined to my Active Directory domain. If I enable SMB file sharing then even with no users explicitly enabled for sharing and no shares explicitly defined domain users can access the Mac via Windows file sharing. Depending on the type of user (administrator or not) who is accessing the Mac they will see either just their Mac home directory exposed via SMB sharing, if they are a non admin user, or their home directory plus all attached hard drives (Macintosh HD, Time Machine Backup) exposed if they are an admin user.

This is very insecure and prevents me properly exploiting SMB sharing.

Is there any way to 'disable' these default shares leaving just shares I create explicitly?

Thanks,

Chris

iMac 27" Core i7, Mac OS X (10.6.3)

Posted on Feb 13, 2012 5:57 AM

Reply

Answer 1

Best reply

David Kurtz2

Level 1

55 points

Feb 14, 2012 5:42 PM in response to ChrisJenkins

This knowledgebase article might be helpful:

http://support.apple.com/kb/HT5038

Reply

Answer 2

ChrisJenkins Author

Level 1

80 points

Feb 15, 2012 1:42 AM in response to David Kurtz2

Thanks David, that pretty much did the trick! Even though the article refers to Lion Server it seems the same holds true for Lion desktop. Also, the VirtualAdminShares flag is not present ther by default so it seems in its absence it defaults to Enabled. I disabled it (set flag to NO), rebooted and now admins do not see all attached disks as shares.

However, any user who connects still sees their home directory as shared even though those are not explicitly shared. it would be nice to be able to control that too but it is much better than previously so I am not too concerned.

Thanks again for that useful pointer.

Reply