CNET también está disponible en español.

Ir a español

Don't show this again


Unable to disable SMB file sharing in OS X

After upgrading to OS X Lion, some people who have used Windows file sharing may not be able to disable this setting.

In addition to offering file sharing using the Mac-native Apple Filing Protocol (AFP), Apple also includes an option for the Server Message Block (SMB) protocol so you can share files with Windows machines.

Unlike the AFP option that is enabled for the whole system, the SMB service is enabled or disabled for individual users in the Sharing preferences pane. Unfortunately, in some instances after upgrading from OS X 10.6 to OS X 10.7 Lion, some people who have had the SMB service enabled are finding they cannot disable it for their accounts. When they enter their passwords at the prompt, instead of turning off SMB the system claims the incorrect password was given, and keeps SMB enabled. This happens even though the same password successfully allowed the user to log into the account in the first place.

SMB password field
Disabling SMB sharing requires you enter an account's password, but in some cases this fails to work. Screenshot by Topher Kessler

One possible reason for why this is happening is an incompatibility with how the SMB configuration in Lion is authenticating with the system directory to grant access or account changes. In OS X Lion, Apple had to switch its windows file sharing technology from the open source Samba suite to an in-house developed suite because of changes to the licensing for Samba. Because of this switch, some configurations that worked in Snow Leopard might experience odd problems when used for the different software in Lion.

To fix this problem, as described by Apple Discussion poster SanderFromH, you will need to switch the entries for your account's authentication authority configuration. It appears that Apple's SMB tool may only access one of these for some systems, and switching them forces the tool to use the appropriate one. You can do this with the following procedure:

  1. Back up your system
    Switching these entries in your account configuration should not affect how other system services authenticate, but as a precaution before modifying this aspect of your account be sure to back up your system. Use a cloning tool or Time Machine (preferably both) to make a full and restorable backup of your system before continuing.

  2. Open Directory Utility
    Go to the /System/Library/CoreServices/ folder and open the Directory Utility application.

  3. Directory Utility settings
    In Disk Utility, select the User list (1), then ensure the directory is the local one (2), and authenticate if needed (3). Then select you user account (4), and locate the "Authentication Authority" tag in the list (5). Finally, cut the contents from the data box below the attributes list (6). Screenshot by Topher Kessler
  4. Locate your user account
    In the Directory Utility program, select Users in the Viewing menu, and select "/Local/Default" as the node. Then ensure the lock next to these menus is unlocked (you will have to authenticate as an admin if it is locked). After doing this, select your account name from the list on the left, which by default should show your full account name and not the short one.

  5. Locate the AuthenticationAuthority tag
    In the right-hand box, find the AuthenticationAuthority tag in the Name column, expand it by clicking the triangle next to it, and note that in the Value column next to it there are two listings: one on the same line as the "AuthenticationAuthority" that begins with "Kerberos" in as its value, and the one below it that begins with "ShadowHash" as its value.

  6. Cut the top-most entry
    Select the entry that begins with "Kerberos," and in the box below the Name/Value list, you should see a long list of numbers and letters. Select all of this text and press Command-X to cut it to the clipboard (if you make a mistake, you can always click the Revert button at the bottom of the window). After doing this, go back to the Name/Value list and click the "ShadowHash" entry. When you select it, the "Kerberos" entry you just cut will disappear and entries will shift upward, so be sure that the "ShadowHash" entry is selected.

  7. Paste the copied entry
    With the ShadowHash entry selected, click the plus sign next to it, and a new entry will be made with "new_value" as its contents. In the box below, select the new_value text and press Command-V to paste in the copied "Kerberos..." text. At this point you have switched the order of these two values.

  8. Save and close
    With the text pasted, save the file and close it.

When this procedure is completed, you should now be able to change the SMB sharing settings in the Sharing system preferences.

Questions? Comments? Have a fix? Post them below or e-mail us!
Be sure to check us out on Twitter and the CNET Mac forums.