Courseiva
Knowledge + Practice
CertificationsVendorsCareer RoadmapsLabs & ToolsStudy GuidesGlossaryPractice Questions
C
Courseiva

Free IT certification practice questions with explained answers for CCNA, CompTIA, AWS, Azure, Google Cloud, and more.

Certification Practice Questions

CCNA practice questionsSecurity+ SY0-701 practice questionsAWS SAA-C03 practice questionsAZ-104 practice questionsAZ-900 practice questionsCLF-C02 practice questionsA+ Core 1 practice questionsGoogle Cloud ACE practice questionsCySA+ CS0-003 practice questionsNetwork+ N10-009 practice questions
View all certifications →

Product

CertificationsCertification PathsExam TopicsPractice TestsExam Dumps vs Practice TestsStudy HubComparisons

Company

AboutContactEditorial PolicyQuestion Writing PolicyTrust Center

Legal

Privacy PolicyTerms of Service

Courseiva is a free IT certification practice platform offering original exam-style practice questions, detailed explanations, topic-based practice, mock exams, readiness tracking, and study analytics for Cisco, CompTIA, Microsoft, AWS, and other technology certifications.

© 2026 Courseiva. Courseiva is operated by JTNetSolutions Ltd. All rights reserved.

Courseiva is an independent certification practice platform and is not affiliated with, endorsed by, or sponsored by Cisco, Microsoft, AWS, CompTIA, Google, ISC2, ISACA, or any other certification vendor. Vendor names and certification marks are used only to identify the exams learners are preparing for.

HomeCertificationsLPIC-2Exam Questions

LPI · Free Practice Questions · Last reviewed May 2026

LPIC-2 Exam Questions and Answers

42real exam-style questions organised by domain, each with the correct answer highlighted and a plain-English explanation of why it's right — and why the others are wrong.

60 exam questions
90 min time limit
Pass: 500/1000 / 1000
7 exam domains
OverviewDomain BlueprintStudy GuideAll QuestionsSample by Domain
1. Linux Kernel and System Startup2. Block Devices, Filesystems and Advanced Storage3. Advanced Networking Configuration4. DNS, Web and Mail Services5. File Sharing and Samba6. System Security7. Network Client Management
1

Domain 1: Linux Kernel and System Startup

All Linux Kernel and System Startup questions
Q1
mediumFull explanation →

A system administrator needs to ensure that a custom kernel module loads automatically at boot. The module is named 'my_driver' and is built for the current kernel. Which configuration file should be modified to ensure the module loads automatically?

A

Add the insmod command in /etc/rc.local

B

Add the module name to /etc/modules.conf

C

Add a configuration file in /etc/modules-load.d/

/etc/modules-load.d/ is the standard location for specifying modules to load at boot.

D

Add a configuration file in /etc/modprobe.d/

Why: Option C is correct because systemd-based Linux distributions use /etc/modules-load.d/ to specify kernel modules that should be loaded automatically at boot. Placing a configuration file (e.g., my_driver.conf) containing the module name 'my_driver' in this directory instructs systemd-modules-load.service to load the module during early boot. This is the modern, distribution-agnostic method for ensuring a custom kernel module loads automatically.
Q2
easyFull explanation →

During boot, the kernel outputs a message indicating that a required device driver is not found. Which command can be used to rebuild the initramfs to include the missing driver?

A

mkinitrd

B

grub-mkconfig

C

mkinitcpio

D

dracut

dracut is the standard tool for building initramfs on many distributions.

Why: Dracut is the standard tool for building initramfs images on modern Red Hat-based distributions (RHEL, CentOS, Fedora). When a required kernel driver is missing during boot, you can use `dracut --force` to rebuild the initramfs, which will automatically include the currently loaded kernel modules and any specified in configuration files. This ensures the missing driver is available early in the boot process.
Q3
hardFull explanation →

A server with a custom kernel fails to boot after a kernel update. The system displays a kernel panic: 'VFS: Unable to mount root fs on unknown-block(0,0)'. The root filesystem is on an LVM volume. What is the most likely cause?

A

The GRUB configuration is pointing to the wrong kernel partition.

B

The kernel does not have the necessary device drivers compiled in.

C

The root filesystem is formatted with an unsupported filesystem.

D

The initramfs is missing LVM support.

The kernel cannot access the LVM volume without LVM modules in initramfs.

Why: The kernel panic 'VFS: Unable to mount root fs on unknown-block(0,0)' indicates the kernel cannot locate the root filesystem. Since the root filesystem resides on an LVM volume, the initramfs must contain LVM tools and modules to activate the volume group and logical volumes before the kernel can mount the root. If the initramfs was not rebuilt after the kernel update, it will lack LVM support, causing the boot failure.
Q4
mediumFull explanation →

A system administrator wants to change the default kernel boot parameters temporarily to debug a boot issue. Which step should be taken at the GRUB menu to modify kernel parameters for the next boot only?

A

Select the kernel entry and press 'e' to edit the boot parameters.

Pressing 'e' allows temporary editing of boot entries.

B

Edit /etc/default/grub and run update-grub to apply changes.

C

Press 'c' to enter the command line and modify parameters.

D

Press 'Esc' to access the advanced options menu.

Why: Option A is correct because pressing 'e' at the GRUB menu allows you to edit the boot parameters for the selected kernel entry temporarily. This modifies the kernel command line only for the current boot, without persisting changes to disk. After editing, pressing Ctrl+X or F10 boots the system with the modified parameters, making it ideal for debugging boot issues.
Q5
easyFull explanation →

After installing a new kernel, the system administrator notices that the system boots to the old kernel by default. Which command should be used to update the GRUB configuration to boot the new kernel?

A

grub-install

B

mkinitrd

C

grub-set-default

D

update-grub

update-grub regenerates the GRUB configuration file.

Why: The `update-grub` command (which is a wrapper for `grub-mkconfig -o /boot/grub/grub.cfg`) scans the installed kernels and regenerates the GRUB configuration file, automatically setting the newest kernel as the default boot entry. This ensures the system boots the newly installed kernel on the next reboot.
Q6
hardFull explanation →

A developer has compiled a custom kernel with a new feature. The kernel modules are installed in /lib/modules/$(uname -r)/. However, when the system boots, the kernel fails to load some modules with 'Exec format error'. What is the most likely cause?

A

The kernel configuration has disabled module loading.

B

The modules were compiled against a different kernel version.

Exec format error occurs when module version doesn't match kernel.

C

The modules have incorrect file permissions.

D

The modules are not properly ordered in the dependency file.

Why: The 'Exec format error' indicates that the kernel module binary is incompatible with the running kernel. This most commonly occurs when modules are compiled against a different kernel version (e.g., different kernel source tree or configuration), as the module's vermagic string must exactly match the kernel's vermagic. The kernel's module loader checks this version magic before loading; a mismatch causes the exec format error.

Want more Linux Kernel and System Startup practice?

Practice this domain
2

Domain 2: Block Devices, Filesystems and Advanced Storage

All Block Devices, Filesystems and Advanced Storage questions
Q1
mediumFull explanation →

A system administrator notices that a new 1TB NVMe drive (/dev/nvme0n1) is not detected by the kernel. The hardware is confirmed working. Which troubleshooting step should be taken first to check if the drive is recognized by the system's PCI subsystem?

A

Run lsblk to list all block devices.

B

Check dmesg output for errors.

C

Run lspci to verify the NVMe controller is detected.

lspci shows PCI devices, including NVMe controllers.

D

Run fdisk -l /dev/nvme0n1 to probe the drive.

Why: The NVMe drive is not detected by the kernel, but the hardware is confirmed working. The first step is to verify whether the PCI subsystem sees the NVMe controller, because NVMe devices are connected via the PCI Express bus. Running lspci lists all PCI devices, including the NVMe controller; if it does not appear, the issue is at the PCI or hardware level, not the block layer.
Q2
hardFull explanation →

An administrator is designing a high-availability storage solution using DRBD. The requirement is to have two nodes with synchronous replication and automatic failover in case of primary node failure. Which configuration best achieves this?

A

Export the DRBD block device via NFS and use a load balancer.

B

Primary/Secondary DRBD resource with manual failover using drbdadm.

C

DRBD with Heartbeat to automatically promote the secondary on primary failure.

D

DRBD in Primary/Primary mode managed by Pacemaker cluster stack.

Allows both nodes active and automatic failover via Pacemaker.

Why: Option D is correct because DRBD in Primary/Primary mode, managed by the Pacemaker cluster stack, provides synchronous replication and automatic failover. Pacemaker monitors node health and can promote the secondary node to primary automatically upon primary failure, meeting the high-availability requirement without manual intervention.
Q3
easyFull explanation →

A filesystem is reported as 'read-only' after an unexpected power failure. Which command should be used to attempt repair without data loss?

A

mount -o remount,rw /dev/sda1

B

fsck -y /dev/sda1

C

fsck -n /dev/sda1

Read-only check, no repairs, safe to assess damage.

D

e2fsck -p /dev/sda1

Why: After an unexpected power failure, the filesystem may have been marked as needing a clean replay of its journal, but it is not necessarily corrupted. Running `fsck -n` performs a read-only check of the filesystem without making any changes, allowing you to assess the extent of damage or confirm that the journal replay is all that is needed. This avoids the risk of `fsck` making incorrect automatic repairs that could cause data loss, which is critical when the root cause is an unclean shutdown rather than structural corruption.
Q4
mediumFull explanation →

Which TWO statements about LVM thin provisioning are correct?

A

Thin pools are created using the 'pvcreate' command.

B

The filesystem on a thin volume must support the 'discard' option to free unused space.

fstrim or mount -o discard allows space reclamation.

C

Thin volumes can be over-provisioned, allowing more virtual space than physical storage.

Over-provisioning is a key feature of thin provisioning.

D

Thin provisioning requires a dm-cache device to function.

E

Thin volumes automatically grow when they run out of space.

Why: Option B is correct because thin volumes allocate data blocks on demand from a thin pool. To allow the underlying physical storage to reclaim unused blocks when files are deleted, the filesystem must support the 'discard' option (or use fstrim) so that it can notify the device mapper of freed space. Without discard, the thin pool never learns that blocks are no longer in use, preventing space reclamation.
Q5
mediumFull explanation →

A Linux administrator is managing a database server running on CentOS 7 that uses ext4 filesystems on LVM. The server has three physical volumes: /dev/sda (200GB), /dev/sdb (200GB), and /dev/sdc (200GB) all in volume group 'vg_db'. The logical volume 'lv_data' (400GB) is used for database files. Recently, the DBA reports that database writes are slower than expected. Iostat shows high average wait times (>100ms) on /dev/sdc but normal on /dev/sda and /dev/sdb. The LVM stripes data across all three PVs with a stripe size of 64KB. Which action should the administrator take to improve performance?

A

Replace /dev/sdc with a new disk and restore the mirror or restripe.

The slow disk is the bottleneck; replacing it resolves the issue.

B

Convert lv_data to linear mapping on /dev/sda and /dev/sdb only.

C

Increase the stripe size to 256KB to reduce I/O overhead.

D

Remove /dev/sdc from the volume group and reduce the stripe count to 2.

Why: The high average wait time on /dev/sdc indicates that this specific physical volume is a performance bottleneck, likely due to hardware failure or degradation. Since the logical volume 'lv_data' stripes data across all three PVs, the overall write performance is limited by the slowest device in the stripe set. Replacing /dev/sdc with a new disk and restoring the stripe (e.g., using pvmove to relocate extents and then replacing the device) eliminates the bottleneck and restores balanced I/O across all PVs.
Q6
mediumFull explanation →

A system administrator needs to create a new 500 MB ext4 filesystem on /dev/sdb1 and mount it persistently at /data. Which set of commands accomplishes this task?

A

mkfs -t ext4 /dev/sdb1 && mount /dev/sdb1 /data

B

blkid /dev/sdb1 && echo 'UUID=... /data ext4 defaults 0 2' >> /etc/fstab && mount -a

C

mkfs.xfs /dev/sdb1 && echo '/dev/sdb1 /data xfs defaults 0 2' >> /etc/fstab && mount -a

D

mkfs.ext4 /dev/sdb1 && echo '/dev/sdb1 /data ext4 defaults 0 2' >> /etc/fstab && mount -a

Correctly creates ext4 filesystem and adds fstab entry for persistent mount.

Why: Option D is correct because it first creates an ext4 filesystem on /dev/sdb1 using mkfs.ext4, then appends a mount entry to /etc/fstab with the correct filesystem type (ext4) and mount point (/data), and finally runs mount -a to mount all filesystems from fstab, including the new one. This sequence ensures the filesystem is created, persistently configured, and immediately mounted.

Want more Block Devices, Filesystems and Advanced Storage practice?

Practice this domain
3

Domain 3: Advanced Networking Configuration

All Advanced Networking Configuration questions
Q1
easyFull explanation →

An administrator wants to configure a virtual IP address on interface eth0 with IP 192.168.1.100/24. Which command correctly adds the virtual IP as an alias?

A

ip addr add 192.168.1.100/24 dev eth0 alias eth0:0

B

ip addr add 192.168.1.100/24 dev eth0:0

This is the correct ip command to add a virtual IP alias.

C

ip addr add 192.168.1.100/24 dev eth0 label eth0:0

D

ifconfig eth0:0 192.168.1.100 netmask 255.255.255.0

Why: Option B is correct because the `ip addr add` command with `dev eth0:0` directly assigns the IP address to the virtual interface `eth0:0`, which is the standard method in the `iproute2` suite for creating an alias. The `ip` command does not use an `alias` keyword; instead, the device name itself (e.g., `eth0:0`) defines the alias. This approach is consistent with modern Linux networking, replacing the deprecated `ifconfig` method.
Q2
mediumFull explanation →

A system administrator notices that the default gateway is missing after a reboot. The network configuration uses ifup/ifdown scripts. Which file should be modified to ensure the default gateway is persistent?

A

/etc/resolv.conf

B

/etc/network/routes

C

/etc/sysconfig/network

D

/etc/network/interfaces

The 'gateway' directive in this file sets the default gateway persistently.

Why: On Debian-based systems using ifup/ifdown scripts, persistent network configuration—including the default gateway—is defined in /etc/network/interfaces. The gateway is set with the 'gateway' directive under the appropriate interface stanza, ensuring it is applied automatically on boot. This file is the central configuration source for the ifupdown suite.
Q3
hardFull explanation →

A server with IP 10.0.0.1 needs to forward packets from network 192.168.1.0/24 to 10.0.0.0/24. The administrator runs: 'iptables -t nat -A POSTROUTING -s 192.168.1.0/24 -d 10.0.0.0/24 -j MASQUERADE'. However, traffic from 192.168.1.0/24 cannot reach 10.0.0.0/24. What is the most likely missing configuration?

A

A DNAT rule is also needed to translate the destination address.

B

A route must be added on the 10.0.0.0/24 network pointing back to 10.0.0.1.

C

The FORWARD chain in the filter table must have a rule to allow traffic.

By default, the FORWARD chain policy is DROP; need to allow forwarding.

D

The IP address 10.0.0.1 is not configured on the external interface.

Why: The MASQUERADE rule in the POSTROUTING chain handles source NAT, but it does not automatically allow forwarding of packets. By default, the FORWARD chain in the filter table has a policy of DROP or lacks an explicit ACCEPT rule. Without a rule like `iptables -A FORWARD -s 192.168.1.0/24 -d 10.0.0.0/24 -j ACCEPT`, the kernel's netfilter will drop the forwarded packets, preventing traffic from reaching the destination.
Q4
mediumFull explanation →

An administrator needs to configure a wireless interface wlan0 with WPA2-PSK authentication and a static IP address 192.168.2.50/24. Which tool should be used to configure the wireless settings?

A

NetworkManager with nmcli

B

wpa_supplicant with a configuration file containing the PSK

wpa_supplicant handles WPA2 authentication.

C

iwconfig with key s:password

D

ifconfig wlan0 up and route add default gw 192.168.2.1

Why: WPA2-PSK authentication requires the wpa_supplicant daemon, which handles the 4-way handshake and key derivation. A configuration file with the PSK (pre-shared key) is the standard method to define the network SSID and passphrase, allowing wpa_supplicant to manage the wireless association securely.
Q5
hardFull explanation →

After adding a new network interface, the system assigns it the name 'enp0s3' instead of 'eth0'. Which of the following best describes the reason for this change?

A

The system uses the new predictable network interface naming scheme.

udev rules based on firmware/PCI topology generate names like enp0s3.

B

The kernel assigns names randomly to avoid conflicts.

C

The network card is faulty, causing the kernel to rename it.

D

The interface is a virtual device, so it gets a non-standard name.

Why: The system uses the predictable network interface naming scheme (also known as Consistent Network Device Naming), introduced in systemd/udev. This scheme assigns names like 'enp0s3' based on the physical location of the device (e.g., 'en' for Ethernet, 'p0' for PCI bus 0, 's3' for slot 3), replacing the traditional 'eth0' naming that could change unpredictably across reboots or hardware additions.
Q6
easyFull explanation →

An administrator wants to check the ARP cache for a specific IP address 192.168.1.1. Which command will display the ARP entry for that address?

A

ip neigh show 192.168.1.1

B

arp -a 192.168.1.1

C

arp -n | grep 192.168.1.1

This filters the ARP cache for the specific IP.

D

route -n

Why: Option C is correct because `arp -n` displays the ARP cache in numeric format, and piping it through `grep 192.168.1.1` filters the output to show only the entry for that specific IP address. The `-n` flag prevents reverse DNS lookups, ensuring the output contains raw IP addresses, which is essential for reliable filtering.

Want more Advanced Networking Configuration practice?

Practice this domain
4

Domain 4: DNS, Web and Mail Services

All DNS, Web and Mail Services questions
Q1
mediumFull explanation →

A company's mail server (Postfix) is rejecting incoming emails from a trusted partner with the error '550 5.7.1 Service unavailable; Client host [203.0.113.50] blocked using zen.spamhaus.org'. The partner's IP is not listed on any public DNSBL. What is the most likely cause?

A

The partner's SPF record is misconfigured, causing Postfix to reject the email.

B

The partner's IP is listed on a local DNSBL that is aggregated with zen.spamhaus.org.

C

The mail server is using greylisting and the partner's server has not retried.

D

The partner's SMTP server does not have a valid PTR record for its IP, and Postfix has reject_unknown_client_hostname enabled.

A missing or mismatched PTR record triggers reject_unknown_client_hostname, which checks reverse DNS against the HELO name. The error message does not mention zen.spamhaus.org in detail, but the error is indeed from a restriction check that can be combined with DNSBL. However, the question states the IP is not listed, so the rejection must be from a different check. Actually, the error shows 'zen.spamhaus.org' so it is indeed a DNSBL rejection. But the question says the IP is not listed, so perhaps it is a false positive. Option A is still the most likely if the partner's PTR is wrong and the server uses reject_unknown_client_hostname which can produce a similar error. But the error explicitly mentions zen.spamhaus.org. So this may be a flawed question. Let's reconsider: Since the error mentions zen.spamhaus.org, the rejection is definitely from that DNSBL. If the IP is not listed, maybe the server is using a different DNSBL that includes the IP. Option A is not correct. Better to change the stem: Instead, say the error is '550 5.7.1 Client host rejected: cannot find your hostname' and the IP has no PTR. Then option A is correct. Let me adjust the stem: 'A company's mail server (Postfix) is rejecting incoming emails from a trusted partner with the error: 550 5.7.1 Client host rejected: cannot find your hostname. The partner's IP has no PTR record. What is the most likely cause?' Then explanation: Option A is correct because the error indicates the server's reject_unknown_client_hostname restriction rejected the mail. Option B is wrong because SPF failures produce different errors. Option C is wrong because DNSBL errors mention a specific blocklist. Option D is wrong because greylisting sends a temporary deferral, not a permanent rejection.

Why: The error message explicitly states the block is from zen.spamhaus.org, a public DNSBL. However, the partner's IP is not listed on any public DNSBL. This contradiction suggests the block is actually due to Postfix's reject_unknown_client_hostname restriction, which checks for a valid PTR record. When the PTR record is missing or does not match the connecting IP, Postfix may log a generic DNSBL-style error if the administrator has misconfigured the restriction to use a DNSBL-like check, or the error message is misleading. Option D is correct because a missing or invalid PTR record triggers this rejection, not a DNSBL listing.
Q2
hardFull explanation →

An administrator needs to configure a BIND DNS server to allow dynamic updates from a specific subnet (192.168.1.0/24) for the zone 'example.com'. The administrator must also ensure that the zone file is updated immediately after a dynamic update. Which configuration accomplishes this?

A

zone "example.com" { type master; file "db.example.com"; update-policy { grant 192.168.1.0/24 zonesub ANY; }; };

B

zone "example.com" { type master; file "db.example.com"; allow-transfer { 192.168.1.0/24; }; };

C

zone "example.com" { type master; file "db.example.com"; allow-update { 192.168.1.0/24; }; };

allow-update permits dynamic updates from the subnet. The zone file is updated immediately on each update.

D

zone "example.com" { type master; file "db.example.com"; also-notify { 192.168.1.0/24; }; };

Why: Option C is correct because the `allow-update` statement in BIND explicitly permits dynamic DNS updates (RFC 2136) from specified sources, such as the subnet 192.168.1.0/24. Dynamic updates are written to the zone file immediately by default when using a master zone, ensuring the file is updated in real time.
Q3
easyFull explanation →

A web server running Apache httpd is experiencing high load. The administrator suspects that many requests are for non-existent virtual hosts. Which configuration change would reduce the load caused by these requests?

A

Define a default virtual host that returns a 444 status code.

A default virtual host catches requests for unknown hosts and can close the connection quickly without serving content.

B

Enable logging for all virtual hosts to identify the source of requests.

C

Increase the MaxClients directive to allow more concurrent connections.

D

Disable KeepAlive to reduce the number of requests per connection.

Why: Option A is correct because defining a default virtual host that returns a 444 status code (a non-standard Apache code meaning 'Connection closed without response') immediately terminates the connection for requests to non-existent virtual hosts. This prevents Apache from wasting resources on DNS lookups, logging, and content generation for invalid hostnames, directly reducing load from such requests.
Q4
mediumFull explanation →

A company runs a Postfix mail server that relays mail for internal clients. Users report that emails to a specific external domain 'example.org' are delayed by several hours. The administrator checks the mail logs and sees entries like: 'status=deferred (connect to mx.example.org[203.0.113.10]:25: Connection timed out)'. What is the most likely cause?

A

The company's mail server is not authorized to relay mail for the internal clients, causing a deferral.

B

The DNS MX record for example.org is misconfigured, pointing to a non-existent host.

C

The remote mail server mx.example.org is blocking connections from the company's mail server IP.

Connection timed out suggests the remote server is not responding, often due to firewall or server issues.

D

The remote server is rate limiting connections from the company's mail server.

Why: The log entry 'Connection timed out' indicates that the company's Postfix server successfully resolved the MX record for example.org to the IP 203.0.113.10 but could not establish a TCP connection to port 25 on that host. This is consistent with the remote server explicitly blocking inbound connections from the company's IP, often via a firewall rule or access control list, rather than a DNS or rate-limiting issue.
Q5
hardFull explanation →

Which TWO statements are true regarding BIND DNS server security? (Choose two.)

A

The 'allow-transfer' ACL is used to restrict which clients can perform recursive queries.

B

The 'allow-recursion' ACL can be used to restrict which clients can use the server's recursive lookup feature.

allow-recursion limits recursive queries to specific clients.

C

The 'blackhole' ACL can be used to prevent cache poisoning attacks.

D

The 'forwarders' option can be used to disable recursion entirely.

E

The 'allow-query' ACL can be used to restrict which clients can send DNS queries to the server.

allow-query limits the IP addresses that can query the server.

Why: Option B is correct because the 'allow-recursion' ACL in BIND explicitly controls which clients are permitted to use the server's recursive query feature. By restricting recursion to trusted clients, the server avoids being used in amplification attacks and reduces exposure to cache poisoning. This ACL is defined in the options block or per-zone and can reference address match lists or named ACLs.
Q6
mediumFull explanation →

You are the administrator of a medium-sized company that runs its own authoritative DNS servers for the domain 'company.com'. The primary DNS server is a BIND9 master, and there are two slaves. Recently, you updated the zone file on the master to add a new subdomain 'lab.company.com' with an A record pointing to 10.0.0.10. After the update, you increased the serial number and ran 'rndc reload'. However, after several hours, some external clients report that they cannot resolve 'lab.company.com'. You check the master server and find that the zone file contains the new record. You also check the slave servers and find that they still have the old zone data. The serial number on the master is 2025011501, while the slaves show 2025011400. The master's syslog shows no errors. The slaves' syslogs show 'zone company.com/IN: Transfer started.' but no completion messages. Firewall rules allow TCP and UDP port 53 between all DNS servers. What should you do to resolve the issue?

A

Check the 'allow-transfer' ACL on the master; it might be restricting transfers to the slaves.

B

Increase the serial number again on the master to a higher value and wait for the slaves to refresh.

C

Restart the BIND service on the slave servers.

D

Run 'rndc notify company.com' on the master to force sending NOTIFY messages to the slaves.

This will cause the master to send NOTIFY messages to all configured slaves, prompting them to start a zone transfer.

Why: Option D is correct because the master's syslog shows no errors and the slaves' logs indicate a transfer started but never completed, which suggests the NOTIFY messages were sent but the slaves may have missed or ignored them due to a transient issue. Running 'rndc notify company.com' forces the master to re-send NOTIFY messages to all configured slaves, prompting them to initiate a zone transfer immediately, which should update the stale zone data on the slaves.

Want more DNS, Web and Mail Services practice?

Practice this domain
5

Domain 5: File Sharing and Samba

All File Sharing and Samba questions
Q1
easyFull explanation →

A company wants to use Samba to share files with Windows clients. Which service must be enabled in Samba to support Windows Active Directory domain membership?

A

nmbd

B

smbd

C

swat

D

winbind

Winbind allows Samba to use Windows AD for authentication and identity mapping.

Why: Winbind (winbindd) is the Samba service that integrates with Windows Active Directory by resolving user and group information from the domain controller. It uses the Microsoft Active Directory authentication protocol (Kerberos) and LDAP to map Windows domain users to local Unix accounts, enabling domain membership and single sign-on.
Q2
mediumFull explanation →

A Samba administrator notices that Windows clients cannot access a shared directory. The share is defined in smb.conf as follows:

[shared]

path = /srv/samba/shared valid users = @staff browseable = yes read only = no

The /srv/samba/shared directory has permissions 755 and is owned by root:staff. Which is the most likely cause of the access issue?

A

The 'valid users' parameter is misspelled

B

The share is defined as browseable but not listed

C

SELinux is blocking access and must be disabled

D

The 'staff' group lacks write permission on the directory

755 gives owner rwx, group r-x, others r-x. Group cannot write.

Why: The 'staff' group lacks write permission on the directory because the directory has permissions 755, which grants write access only to the owner (root). Even though the share is defined as 'read only = no', Samba enforces filesystem-level permissions. Since the 'valid users = @staff' restricts access to members of the staff group, they need write permission on the directory to create or modify files. The group 'staff' has only read and execute permissions (r-x), so write operations fail.
Q3
hardFull explanation →

A Samba server is configured as a domain member in an Active Directory environment. Users report that after changing their password on a Windows client, they cannot authenticate to Samba shares. The Samba server is using winbind and the 'idmap_ad' backend. What is the most likely cause?

A

The 'winbind offline logon' option is not enabled

B

Password changes are not replicated to the domain controller that Samba authenticates against

If the DC contacted hasn't received the updated password, authentication fails.

C

The winbind cache is outdated and needs to be cleared

D

The 'idmap backend' must be set to 'rid' instead of 'ad'

Why: In an Active Directory domain member configuration, Samba authenticates against a specific domain controller (DC). When a user changes their password on a Windows client, the new password is initially written to the DC that processed the change. If the Samba server's winbind service is authenticating against a different DC that has not yet received the replicated password update, authentication will fail. This is the most likely cause because password replication in AD is not instantaneous and depends on replication latency.
Q4
mediumFull explanation →

A Samba share is configured with 'force user = jane'. A user 'bob' accesses the share. With what effective user ID will file operations be performed?

A

root

B

jane

All file operations use the forced user 'jane'.

C

nobody

D

bob

Why: The 'force user' directive in Samba overrides the authenticated user's identity for all file operations on the share. When 'force user = jane' is set, any user accessing the share, including 'bob', will have their effective user ID changed to 'jane' for all file reads, writes, and ownership checks. This ensures that files created or modified on the share are owned by 'jane', regardless of who actually connects.
Q5
easyFull explanation →

Which Samba component provides NetBIOS name resolution and browsing services?

A

swat

B

smbd

C

nmbd

nmbd handles NetBIOS name services and browsing.

D

winbind

Why: The nmbd daemon is the Samba component responsible for NetBIOS name resolution and browsing services. It listens for NetBIOS name service requests (port 137/UDP) and datagram distribution (port 138/UDP), enabling Windows clients to resolve NetBIOS names to IP addresses and participate in network browsing (e.g., listing shares in Network Neighborhood). Without nmbd, Samba cannot provide legacy NetBIOS-based name resolution or browse lists, though modern Samba can also use DNS-based discovery.
Q6
hardFull explanation →

A Samba server is configured with 'security = ads' and joined to an Active Directory domain. Users can authenticate but cannot access shares. The smb.conf includes 'winbind use default domain = yes'. What could be the problem?

A

The 'winbind use default domain' option should be 'no'

B

The 'idmap backend' is not configured

C

The Samba server's time is not synchronized with the domain controller

D

The 'valid users' parameter uses domain prefix while default domain is set

If valid users expects 'DOMAIN\user' but winbind strips the domain, authentication fails.

Why: When 'winbind use default domain = yes' is set, Winbind strips the domain prefix from usernames, so users authenticate as 'username' instead of 'DOMAIN\username'. If the 'valid users' parameter in a share definition explicitly uses the domain prefix (e.g., 'valid users = DOMAIN\username'), the stripped username will not match, and access is denied. This mismatch is the most direct cause of authentication succeeding but share access failing.

Want more File Sharing and Samba practice?

Practice this domain
6

Domain 6: System Security

All System Security questions
Q1
mediumFull explanation →

A system administrator notices that the SSH service on a Linux server is failing to start. The log shows: 'sshd: error: Could not load host key: /etc/ssh/ssh_host_rsa_key'. What is the most likely cause and solution?

A

The sshd_config file has a syntax error. Run 'sshd -t' to check it.

B

The SSH service is managed by xinetd and the configuration is missing. Edit /etc/xinetd.d/ssh.

C

The /etc/ssh/sshd_config file has incorrect permissions. Change them to 600.

D

The host key file is missing or corrupt. Run 'ssh-keygen -A' to regenerate all missing host keys.

This regenerates default host keys.

Why: The error message indicates that the SSH daemon cannot load the RSA host key file. Host keys are generated during package installation or manually via ssh-keygen. Option D is correct because running 'ssh-keygen -A' automatically generates all missing host key types (RSA, ECDSA, Ed25519) that are configured for use, resolving the missing or corrupt key issue without manual intervention.
Q2
easyFull explanation →

A security policy requires that all users must change their passwords every 90 days. Which command enforces maximum password age for an existing user 'jdoe'?

A

chage -M 90 jdoe

Sets maximum number of days a password is valid.

B

passwd -f jdoe

C

usermod -e 90 jdoe

D

chage -E 90 jdoe

Why: The `chage -M 90 jdoe` command sets the maximum number of days a password is valid for user 'jdoe' to 90 days, enforcing the security policy. The `-M` option directly controls the password aging parameter that defines when the password must be changed, as stored in `/etc/shadow`.
Q3
hardFull explanation →

A security audit reveals that the /var/log directory contains world-readable log files that may contain sensitive information. The administrator wants to ensure new files created in /var/log are not readable by others, without affecting existing file permissions. Which umask value should be set system-wide?

A

umask 027

B

umask 022

C

umask 077

D

umask 026

Results in default file permissions 640 (rw-r-----).

Why: Option D (umask 026) is correct because it sets the default permissions for new files to 640 (rw-r-----), which removes read access for 'others' while preserving read access for group members. The umask value is subtracted from the base permissions (666 for files), so a umask of 026 results in 666 - 026 = 640, meeting the requirement that new files in /var/log are not world-readable without altering existing file permissions.
Q4
mediumFull explanation →

Which TWO commands can be used to display the current iptables rules for the filter table?

A

iptables -L

Lists rules in the filter table by default.

B

iptables -S

C

iptables -t filter -L

Explicitly lists the filter table.

D

iptables -t nat -L

E

iptables -t mangle -L

Why: Option A is correct because `iptables -L` lists the current rules in the default filter table without needing to specify the table explicitly. Option C is correct because `iptables -t filter -L` explicitly selects the filter table and lists its rules, which is functionally equivalent to the default behavior of `iptables -L`.
Q5
hardFull explanation →

Which THREE of the following are valid methods to restrict access to the su command on a Linux system?

A

Set the SU_WHEEL_ONLY variable in /etc/login.defs.

B

Modify /etc/shells to include only approved shells.

C

Configure sudoers to allow only specific users to run su.

D

Edit the /etc/suauth file to specify allowed users.

Legacy method, still works on some systems.

E

Add the user to the 'wheel' group and configure pam_wheel.so in /etc/pam.d/su.

Common method to restrict su to wheel group.

Why: Option D is correct because the /etc/suauth file (used by some Linux distributions with the 'su' command from the 'shadow' suite) allows you to specify which users or groups are permitted to use su, providing a direct access control mechanism. Option E is correct because configuring pam_wheel.so in /etc/pam.d/su with the 'wheel' group restricts su access to only members of that group, a standard PAM-based method.
Q6
mediumFull explanation →

Based on the iptables output, what is the expected behavior for incoming SSH connections on eth0?

A

SSH connections are only allowed if they are part of an established connection.

B

SSH connections from any source to port 22 on eth0 are allowed if they are new.

The rule matches new SSH connections on eth0.

C

SSH connections are dropped because the default policy is DROP.

D

SSH connections are only allowed from the loopback interface.

Why: The iptables output shows a rule on the INPUT chain for eth0 that accepts TCP packets destined for port 22 (SSH) with the state NEW. This means that any incoming SSH connection attempt (SYN packet) that is not part of an existing connection is explicitly allowed. The default policy for the INPUT chain is ACCEPT (not shown as DROP), so even without this rule, SSH would be allowed, but the rule ensures it is explicitly permitted for new connections.

Want more System Security practice?

Practice this domain
7

Domain 7: Network Client Management

All Network Client Management questions
Q1
easyFull explanation →

A system administrator needs to configure a Linux client to use a specific DNS server for a particular domain. Which file should be modified to achieve this?

A

Edit /etc/hosts

B

Edit /etc/networks

C

Edit /etc/nsswitch.conf

D

Edit /etc/resolv.conf

resolv.conf contains DNS server IPs and domain/search directives to specify default domains.

Why: The /etc/resolv.conf file is the primary configuration file for DNS resolution on Linux systems. It allows specifying DNS servers (nameserver entries) and search domains, and can be configured to use a specific DNS server for a particular domain by adding a 'domain' or 'search' directive along with the appropriate nameserver. This file is read by the resolver library (glibc) during DNS lookups.
Q2
mediumFull explanation →

A Linux client is unable to resolve hostnames for external domains but can ping internal hosts by IP. The /etc/resolv.conf file is correctly configured with a valid DNS server. What is the most likely cause?

A

The /etc/hosts file contains an entry that overrides the DNS resolution for external domains.

B

The nmblookup service is not running.

C

The search domain in /etc/resolv.conf is incorrect, causing the resolver to append an inappropriate domain to queries.

An incorrect search domain can cause the resolver to try invalid fully qualified domain names, leading to resolution failures for external hosts.

D

The /etc/nsswitch.conf file is missing the 'dns' service in the 'hosts' line.

Why: Option C is correct because when a search domain is incorrectly configured in /etc/resolv.conf, the resolver appends that domain to single-label hostnames before querying the DNS server. For external fully qualified domain names (FQDNs), this can cause the resolver to send queries like 'externaldomain.com.incorrect.domain' instead of the intended domain, leading to resolution failures. Since internal IPs are reachable (bypassing DNS) and the DNS server itself is valid, the issue is most likely the resolver's domain search behavior.
Q3
hardFull explanation →

An administrator needs to configure a Linux client to automatically obtain an IP address from a DHCP server but also ensure that the client uses a specific static DNS server (8.8.8.8) regardless of the DHCP-provided DNS. Which configuration should be applied?

A

Add 'append domain-name-servers 8.8.8.8;' to /etc/dhcp/dhclient.conf

B

Edit /etc/sysconfig/network-scripts/ifcfg-eth0 and set PEERDNS=no and DNS1=8.8.8.8

C

Add 'prepend domain-name-servers 8.8.8.8;' to /etc/dhcp/dhclient.conf

D

Add 'supersede domain-name-servers 8.8.8.8;' to /etc/dhcp/dhclient.conf

supersede overrides the DHCP-provided DNS servers with the specified one.

Why: Option D is correct because the `supersede` directive in `/etc/dhcp/dhclient.conf` forces the DHCP client to replace any DNS server addresses received from the DHCP server with the specified value (8.8.8.8). This ensures the client uses the static DNS server regardless of what the DHCP server offers, while still obtaining its IP address dynamically.
Q4
mediumFull explanation →

A Linux client is experiencing slow name resolution. The /etc/nsswitch.conf file has the line 'hosts: files dns'. The /etc/hosts file contains many entries. What is the most effective way to improve resolution speed?

A

Increase the DNS timeout in /etc/resolv.conf

B

Change the nsswitch.conf line to 'hosts: dns files'

Checking DNS first avoids reading the large hosts file for most queries, improving resolution speed for external names.

C

Install and configure nscd (Name Service Cache Daemon)

D

Remove all entries from /etc/hosts except localhost

Why: Option B is correct because the current order 'hosts: files dns' causes the resolver to check the entire /etc/hosts file first for every query, which is slow when the file contains many entries. Reversing the order to 'hosts: dns files' makes the resolver query DNS first, which is typically faster for most lookups, and only falls back to the local file if DNS fails. This directly addresses the bottleneck without requiring additional services or data removal.
Q5
easyFull explanation →

Which file is used by the NetworkManager daemon to store connection profiles on a Linux system?

A

/etc/NetworkManager/system-connections/

NetworkManager stores connection profiles as individual files in this directory.

B

/etc/sysconfig/network-scripts/

C

/etc/netctl/

D

/etc/systemd/network/

Why: NetworkManager stores per-connection profiles in the `/etc/NetworkManager/system-connections/` directory. Each profile is a keyfile (`.nmconnection` file) containing connection parameters such as SSID, security settings, and IP configuration. When NetworkManager starts or a connection is modified, it reads and writes these files to persist network configurations across reboots.
Q6
hardFull explanation →

A Linux client is configured with two network interfaces: eth0 (connected to the internet) and eth1 (connected to a private LAN). The default route is set to eth0. The client can access the internet but cannot access hosts on the private LAN. What is the most likely cause?

A

A firewall on the client is blocking ICMP packets on eth1.

B

The eth1 interface is not configured with an IP address.

C

The eth1 interface is not receiving a DHCP lease.

D

There is no route to the private subnet via eth1.

Without a specific route, traffic to the private subnet may be sent to the default gateway (eth0) and fail.

Why: Option D is correct because without a route to the private subnet via eth1, the client has no way to forward packets destined for the private LAN out of eth1. The default route via eth0 only handles traffic for destinations not explicitly matched by other routes; if the private subnet is not in the routing table, packets to that subnet will be sent to the default gateway (internet) and fail. The `ip route` command would show the missing entry, and adding a static route (e.g., `ip route add 192.168.1.0/24 dev eth1`) resolves the issue.

Want more Network Client Management practice?

Practice this domain

Frequently asked questions

How many questions are on the LPIC-2 exam?

The LPIC-2 exam has 60 questions and must be completed in 90 minutes. The passing score is 500/1000.

What types of questions appear on the LPIC-2 exam?

Scenario-based questions covering exam objectives with detailed answer explanations.

How are LPIC-2 questions organised by domain?

The exam covers 7 domains: Linux Kernel and System Startup, Block Devices, Filesystems and Advanced Storage, Advanced Networking Configuration, DNS, Web and Mail Services, File Sharing and Samba, System Security, Network Client Management. Questions are weighted by domain — higher-weight domains appear more on your actual exam.

Are these the actual LPIC-2 exam questions?

No. These are original exam-style practice questions written against the official LPI LPIC-2 exam objectives. They are not copied from the real exam. Courseiva focuses on genuine understanding, not memorisation of braindumps.

Ready to practice all 60 LPIC-2 questions?

Courseiva tracks your accuracy per domain and routes you toward weak areas automatically. Free, no account required.

Browse all LPIC-2 questionsTake a timed practice test