Linux Professional Institute Certification Level 2 LPIC-2 (LPIC-2) — Questions 175

511 questions total · 7pages · All types, answers revealed

Page 1 of 7

Page 2
1
MCQhard

Which command can be used to test the entire name resolution order as defined in nsswitch.conf?

A.host
B.getent hosts
C.nslookup
D.dig
AnswerB

Tests resolution via nsswitch.

Why this answer

The `getent hosts` command queries the system's Name Service Switch (NSS) configured sources in the exact order defined in `/etc/nsswitch.conf`. It uses the `gethostbyname()` or `getaddrinfo()` library calls, which respect the `hosts:` line in nsswitch.conf (e.g., `files dns myhostname`), testing resolution through each source sequentially until a result is found or all sources are exhausted.

Exam trap

The trap here is that candidates often choose `dig` or `host` because they are familiar DNS tools, but they fail to realize that these commands bypass the NSS configuration and only test DNS, not the full resolution order including local files or other sources like `myhostname`.

How to eliminate wrong answers

Option A is wrong because `host` is a DNS lookup tool that bypasses the NSS configuration and queries DNS directly via the resolver library, not testing files like `/etc/hosts` or other NSS sources. Option C is wrong because `nslookup` is a deprecated DNS diagnostic tool that queries DNS servers directly, ignoring the NSS order entirely. Option D is wrong because `dig` is a flexible DNS lookup utility that performs direct DNS queries and does not consult `/etc/nsswitch.conf` or local name resolution sources like `/etc/hosts`.

2
Multi-Selecteasy

Which TWO commands can be used to display the current IP address and netmask of network interfaces on a Linux system?

Select 2 answers
A.arp -a
B.ifconfig
C.ip addr show
D.netstat -i
E.route -n
AnswersB, C

Traditional command to display interface configuration, including IP and netmask.

Why this answer

Both `ifconfig` and `ip addr show` can display the current IP address and netmask assigned to network interfaces. `ifconfig` is a legacy tool from the net-tools package that shows IPv4 addresses and netmasks (e.g., `inet 192.168.1.10 netmask 255.255.255.0`). `ip addr show` is the modern replacement from the iproute2 package, providing detailed IPv4 and IPv6 addressing information, including netmask in CIDR notation (e.g., `192.168.1.10/24`).

Exam trap

The trap here is that candidates may confuse `netstat -i` (interface statistics) with displaying IP configuration, or assume `arp -a` shows local interface addresses instead of remote MAC mappings.

3
MCQmedium

A Linux client is configured to use PAM for authentication against an LDAP server. The /etc/pam.d/system-auth includes 'auth required pam_ldap.so'. Users can authenticate successfully. However, when a user runs 'id username', it shows 'uid=1000(username) gid=100(users) groups=100(users)' but the LDAP group membership is not shown. Which configuration file is most likely misconfigured?

A.The PAM configuration uses 'required' instead of 'sufficient' for pam_ldap.
B.The /etc/ldap.conf file is missing the 'nss_base_group' line.
C.The /etc/nsswitch.conf 'group' line does not include 'ldap'.
D.The autofs service is not running.
AnswerC

Without this, group info comes only from files.

Why this answer

The 'id' command queries the Name Service Switch (NSS) to resolve user and group information. Even though PAM (via pam_ldap.so) successfully authenticates the user against LDAP, the group membership lookup fails because NSS is not configured to consult LDAP for group data. The /etc/nsswitch.conf file must include 'ldap' in the 'group' line (e.g., 'group: files ldap') to enable the system to retrieve LDAP group memberships.

Exam trap

The trap here is that candidates confuse PAM (authentication) with NSS (name resolution), assuming that successful LDAP authentication automatically means LDAP group lookups work, when in fact they are separate subsystems controlled by different configuration files.

How to eliminate wrong answers

Option A is wrong because changing 'required' to 'sufficient' affects the PAM authentication flow (e.g., whether other modules are tried), but does not impact how the 'id' command resolves group membership; the issue is with NSS, not PAM. Option B is wrong because the 'nss_base_group' line in /etc/ldap.conf defines the LDAP search base for groups, but without NSS configured to use LDAP for groups, this setting is never consulted. Option D is wrong because autofs is used for automounting filesystems and has no role in resolving LDAP group memberships.

4
MCQhard

An administrator needs to mount an NFSv4 export from server:/exports/data onto /mnt/data on a client. The requirement is to use Kerberos security, a hard mount, and ensure that the NFS server does not squash root's privileges. Which line in /etc/fstab correctly implements these requirements?

A.server:/exports/data /mnt/data nfs4 defaults,sec=none,hard,no_root_squash 0 0
B.server:/exports/data /mnt/data nfs4 defaults,sec=krb5,soft 0 0
C.server:/exports/data /mnt/data nfs4 defaults,sec=krb5,hard,no_root_squash 0 0
D.server:/exports/data /mnt/data nfs4 defaults,sec=krb5,hard 0 0
AnswerD

Correctly uses sec=krb5 and hard; no_root_squash is configured on the server.

Why this answer

Option D is correct because it specifies NFSv4 with Kerberos security (sec=krb5) and a hard mount, which meets the requirements. The no_root_squash option is not a valid mount option in /etc/fstab for the client side; it is an export option set on the NFS server in /etc/exports. Thus, D correctly omits it, as the client cannot enforce root squashing behavior.

Exam trap

The trap here is that candidates mistakenly include no_root_squash as a client-side mount option in /etc/fstab, confusing it with a server-side export option, or they choose a soft mount instead of hard.

How to eliminate wrong answers

Option A is wrong because sec=none disables Kerberos security, and no_root_squash is not a valid client-side mount option (it belongs in /etc/exports on the server). Option B is wrong because it uses soft instead of hard, which violates the hard mount requirement. Option C is wrong because it includes no_root_squash as a mount option in /etc/fstab, which is invalid; this option is only meaningful in the server's export configuration.

5
MCQmedium

An administrator needs to configure a wireless interface wlan0 with WPA2-PSK authentication and a static IP address 192.168.2.50/24. Which tool should be used to configure the wireless settings?

A.NetworkManager with nmcli
B.wpa_supplicant with a configuration file containing the PSK
C.iwconfig with key s:password
D.ifconfig wlan0 up and route add default gw 192.168.2.1
AnswerB

wpa_supplicant handles WPA2 authentication.

Why this answer

WPA2-PSK authentication requires the wpa_supplicant daemon, which handles the 4-way handshake and key derivation. A configuration file with the PSK (pre-shared key) is the standard method to define the network SSID and passphrase, allowing wpa_supplicant to manage the wireless association securely.

Exam trap

The trap here is that candidates confuse iwconfig's key parameter (which only works for WEP) with WPA2-PSK, or assume a higher-level tool like nmcli is the direct configuration tool, when the exam expects the low-level WPA2-PSK daemon wpa_supplicant.

How to eliminate wrong answers

Option A is wrong because NetworkManager with nmcli is a higher-level tool that often relies on wpa_supplicant underneath, but the question asks for the tool to configure wireless settings directly; nmcli is not the primary tool for raw WPA2-PSK configuration. Option C is wrong because iwconfig with key s:password only supports WEP encryption (open or shared key), not WPA2-PSK, and cannot handle the 4-way handshake or PSK derivation. Option D is wrong because ifconfig and route only manage IP addressing and routing, not wireless authentication or encryption; they cannot configure WPA2-PSK at all.

6
MCQmedium

An administrator wants to ensure a kernel module is loaded automatically at boot for a hardware device. Which file should be modified to add the module name?

A./etc/modprobe.d/blacklist.conf
B./etc/udev/rules.d/
C./etc/modules-load.d/
D./proc/sys/kernel/
AnswerC

Files in /etc/modules-load.d/ specify modules to load at boot.

Why this answer

Option C is correct because the `/etc/modules-load.d/` directory contains configuration files that list kernel module names to be loaded automatically at boot by the `systemd-modules-load.service`. This is the standard mechanism in modern Linux distributions using systemd to ensure specific modules are loaded early in the boot process, before udev or other services handle device detection.

Exam trap

The trap here is that candidates confuse the static boot-time module loading mechanism (`/etc/modules-load.d/`) with the dynamic device-driven module loading via udev rules (`/etc/udev/rules.d/`), mistakenly thinking udev is the correct place to force a module to load at boot regardless of device presence.

How to eliminate wrong answers

Option A is wrong because `/etc/modprobe.d/blacklist.conf` is used to prevent a kernel module from being loaded, not to force its loading at boot. Option B is wrong because `/etc/udev/rules.d/` contains udev rules that trigger actions based on device events (like loading modules when hardware is detected), but it does not directly specify modules to load automatically at boot independent of device events. Option D is wrong because `/proc/sys/kernel/` is a virtual filesystem for runtime kernel parameters (sysctl), not a configuration file for loading modules at boot.

7
MCQmedium

Which user can execute any command as any user without any password restriction?

A.alice
B.charlie
C.root
D.bob
AnswerC

Root has (ALL) ALL with no passwd restriction (default NOPASSWD for root?). Actually root's entry shows (ALL) ALL, but root is not subject to sudo restrictions? Usually root is all-powerful. In this exhibit, root's entry is like a regular user, but since root is the superuser, it's effectively unrestricted.

Why this answer

Option A is correct because root's entry (ALL) ALL implies unrestricted access. Option B is wrong because alice can only run specific commands as root with password. Option C is wrong because bob has (ALL) ALL but with PASSWD? Actually bob's entry says (ALL) ALL with PASSWD? Let's parse: 'root) PASSWD: /bin/systemctl, (ALL) ALL' means two entries: one for systemctl with password, and another (ALL) ALL.

The (ALL) ALL does not specify NOPASSWD, so it requires password? Actually default is PASSWD, so bob can run any command but must enter password. Option D is wrong because charlie can only run tail without password.

8
MCQmedium

A company runs a Postfix mail server that relays mail for internal clients. Users report that emails to a specific external domain 'example.org' are delayed by several hours. The administrator checks the mail logs and sees entries like: 'status=deferred (connect to mx.example.org[203.0.113.10]:25: Connection timed out)'. What is the most likely cause?

A.The company's mail server is not authorized to relay mail for the internal clients, causing a deferral.
B.The DNS MX record for example.org is misconfigured, pointing to a non-existent host.
C.The remote mail server mx.example.org is blocking connections from the company's mail server IP.
D.The remote server is rate limiting connections from the company's mail server.
AnswerC

Connection timed out suggests the remote server is not responding, often due to firewall or server issues.

Why this answer

The log entry 'Connection timed out' indicates that the company's Postfix server successfully resolved the MX record for example.org to the IP 203.0.113.10 but could not establish a TCP connection to port 25 on that host. This is consistent with the remote server explicitly blocking inbound connections from the company's IP, often via a firewall rule or access control list, rather than a DNS or rate-limiting issue.

Exam trap

The trap here is that candidates confuse 'deferred' with a relay authorization issue or a DNS problem, but the specific 'Connection timed out' error points to a network-layer block rather than an SMTP-level rejection or misconfiguration.

How to eliminate wrong answers

Option A is wrong because relaying authorization (e.g., permit_mynetworks, smtpd_relay_restrictions) controls whether Postfix accepts mail from clients for delivery, not whether it can connect to a remote server; the deferral occurs after the mail is accepted. Option B is wrong because the log shows a successful MX resolution to 203.0.113.10, meaning the DNS record is valid and points to an existing host; a misconfigured MX would cause a different error like 'Host not found' or 'Name service error'. Option D is wrong because rate limiting typically results in a connection being accepted but then throttled (e.g., '450 4.7.1 Service unavailable' or '421 Too many connections'), not a TCP-level timeout; a timeout suggests the remote host is not responding at all, which is characteristic of a firewall block.

9
MCQeasy

A Samba share is configured with 'guest ok = yes'. What must also be configured to allow guest access?

A.security = share
B.map to guest = Bad User
C.force user = nobody
D.guest only = Yes
AnswerB

This parameter maps authentication failures to the guest account, enabling guest access.

Why this answer

When 'guest ok = yes' is set on a Samba share, the server still requires a mechanism to map unauthenticated or failed authentication attempts to the guest account. The 'map to guest = Bad User' directive tells Samba to treat any connection attempt with an invalid username as a guest connection, which is necessary for guest access to function. Without this mapping, clients presenting a non-existent or incorrect username will be rejected rather than being granted guest privileges.

Exam trap

The trap here is that candidates often assume 'guest ok = yes' alone is sufficient for guest access, overlooking the mandatory 'map to guest' directive that actually enables the mapping of unknown users to the guest account.

How to eliminate wrong answers

Option A is wrong because 'security = share' is a deprecated Samba security mode that was removed in Samba 4.x; it does not control guest mapping and is not required for guest access. Option C is wrong because 'force user = nobody' forces all connections to run as the 'nobody' user, but it does not enable guest access—it only overrides the effective user for file operations after authentication. Option D is wrong because 'guest only = Yes' forces all connections to be treated as guest, but it still requires 'map to guest' to be set appropriately; without it, Samba will reject connections that do not match a valid user.

10
Multi-Selecthard

Which THREE actions are typically required to configure a VLAN interface on a Linux system?

Select 3 answers
A.Create the VLAN interface using ip link.
B.Add the physical interface to a bridge.
C.Load the 802.1q kernel module.
D.Configure iptables rules for the VLAN.
E.Assign an IP address to the VLAN interface.
AnswersA, C, E

The VLAN interface is created with a command like 'ip link add link eth0 name eth0.10 type vlan id 10'.

Why this answer

Option A is correct because the `ip link` command is used to create a VLAN interface by specifying the parent physical interface and the VLAN ID (e.g., `ip link add link eth0 name eth0.10 type vlan id 10`). This creates a virtual network interface that tags outgoing frames with the specified 802.1Q VLAN ID and strips tags from incoming frames.

Exam trap

The trap here is that candidates often think VLAN configuration requires bridging or iptables rules, but the core steps are simply loading the 8021q module, creating the VLAN interface with `ip link`, and assigning an IP address.

11
MCQhard

A client on the 192.168.2.0/24 network cannot obtain an IP address. Other clients on that subnet work fine. The DHCP server logs show no request from the client's MAC. What is the most likely cause?

A.No DHCP relay agent is configured on the client's subnet.
B.The range is too small for the number of clients.
C.The subnet declaration for 192.168.2.0 is missing option routers.
D.The client is configured with a static IP address.
AnswerA

Without a relay, broadcast requests don't cross routers.

Why this answer

The client's DHCP request never reaches the DHCP server, as indicated by the server logs showing no request from the client's MAC. Since other clients on the same subnet work fine, the DHCP server and the local subnet are functional. The most likely cause is that the client's subnet (192.168.2.0/24) lacks a DHCP relay agent (e.g., configured on a router or switch using the 'ip helper-address' command) to forward broadcast DHCPDISCOVER messages to the DHCP server located on a different subnet.

Without a relay agent, DHCP broadcasts are confined to the local subnet and cannot reach a remote server.

Exam trap

The trap here is that candidates often assume the problem is with the DHCP server configuration (e.g., scope exhaustion or missing options) rather than recognizing that the server never received the request, pointing to a Layer 3 forwarding issue like a missing DHCP relay agent.

How to eliminate wrong answers

Option B is wrong because if the IP address range were too small for the number of clients, the DHCP server would still receive the request and log it, but would respond with a NAK or no offer; the logs show no request at all. Option C is wrong because a missing 'option routers' directive would cause the client to receive an IP address but lack a default gateway, not prevent the DHCP request from being logged. Option D is wrong because a client configured with a static IP address would not send a DHCPDISCOVER message, so the server would not log a request from that MAC; however, the question states the client 'cannot obtain an IP address,' implying it is attempting DHCP but failing, and a static IP client would not attempt DHCP at all.

12
MCQmedium

An administrator wants to allow SSH access from the internal network (192.168.1.0/24) only, using nftables. Which rule should be added to the filter table input chain?

A.tcp dport 22 accept #from 192.168.1.0/24
B.tcp dport 22 accept; ip saddr 192.168.1.0/22 accept
C.iif lo accept; tcp dport 22 ip saddr 192.168.1.0/24 accept
D.tcp dport 22 ip saddr != 192.168.1.0/24 drop
AnswerC

Accepts loopback traffic and SSH from the specified subnet.

Why this answer

Option C is correct because it first accepts loopback traffic (iif lo accept) to avoid breaking local services, then uses a combined match: tcp dport 22 ip saddr 192.168.1.0/24 accept. This ensures only SSH packets from the 192.168.1.0/24 subnet are accepted, while all other SSH attempts are implicitly dropped by the default policy (typically drop) of the input chain. The rule syntax follows nftables' concise, single-line format without semicolons or comments.

Exam trap

The trap here is that candidates may confuse nftables syntax with iptables or think that a comment or semicolon can be used to add conditions, when in fact nftables requires explicit, comma-separated matches within a single rule statement.

How to eliminate wrong answers

Option A is wrong because it uses a comment (#from 192.168.1.0/24) which is not a valid nftables match condition; nftables does not parse comments as rules, so this rule would accept SSH from any source. Option B is wrong because it uses a semicolon to separate two accept actions, which is invalid nftables syntax; nftables rules are single statements, and the second 'accept' would cause a syntax error or be ignored. Option D is wrong because it uses '!=' to drop SSH from outside 192.168.1.0/24, but this would also drop SSH from the loopback interface (127.0.0.1) unless explicitly excluded, and it does not include an accept rule for the allowed subnet, so SSH from 192.168.1.0/24 would be implicitly dropped by the default policy.

13
MCQeasy

A small company runs a LAMP stack web server with Postfix mail server on a single Ubuntu 22.04 instance. The web server hosts a PHP application that sends password reset emails via the local mail server using PHP's mail() function. Recently, users report that password reset emails are not arriving. The administrator checks the mail log and finds that messages are being accepted by Postfix but are not being delivered. The mail queue shows messages with the status 'deferred'. There are no obvious errors in the mail log. The server has sufficient disk space and memory. The administrator suspects a DNS resolution issue. Which of the following is the most likely cause of the deferred mail?

A.The server's firewall is blocking outbound connections on port 25, causing connection timeouts.
B.The DNS resolver on the server is unable to resolve the MX records for the recipient domains.
C.The SPF record for the sender domain is missing, causing the recipient's mail server to reject the email.
D.The server's IP address has no PTR record, causing the recipient's mail server to reject the connection.
AnswerB

Postfix defers mail when it cannot resolve the MX or A record for the destination.

Why this answer

Postfix accepts the messages but defers delivery when it cannot resolve the recipient domain's MX record. The mail log shows no errors because the deferral is a normal queue action, not a failure. DNS resolution failure for MX records is a common cause of deferred mail, as Postfix cannot determine where to deliver the message.

Exam trap

The trap here is that candidates often assume a firewall or network issue is the cause when mail is deferred, but the absence of error logs and the 'deferred' status point specifically to a DNS resolution problem, not a connectivity or authentication issue.

How to eliminate wrong answers

Option A is wrong because if the firewall were blocking outbound port 25, Postfix would log connection timeouts or refused connections, not simply defer the message without errors. Option C is wrong because SPF records are checked by the recipient's mail server after delivery, not by the sending server; a missing SPF record would cause rejection at the recipient side, not deferral in the local queue. Option D is wrong because the absence of a PTR record may cause the recipient's server to reject the connection or mark mail as spam, but it does not prevent Postfix from attempting delivery; the deferral occurs before any connection is made.

14
MCQeasy

The server is unable to communicate with hosts on the 192.168.2.0/24 network. Based on the exhibit, what is the most likely cause?

A.The interface has a duplicate IP address.
B.The hardware address is corrupted.
C.The interface has no default gateway configured.
D.The subnet mask is incorrect.
AnswerC

Without a default gateway, traffic to other subnets cannot be routed.

Why this answer

The exhibit shows the interface has an IP address of 192.168.1.10/24 and a default gateway of 0.0.0.0, meaning no default gateway is configured. Without a default gateway, the host cannot route packets to the 192.168.2.0/24 network because that network is not directly connected (it is on a different subnet), and the host has no route to forward traffic beyond its local link. The `route -n` output would confirm the absence of a gateway entry, which is the most likely cause of the communication failure.

Exam trap

The trap here is that candidates often assume a missing default gateway only affects internet access, but it also prevents communication with any non-local subnet, including private networks like 192.168.2.0/24, leading them to incorrectly suspect subnet mask or IP conflicts.

How to eliminate wrong answers

Option A is wrong because a duplicate IP address would cause intermittent connectivity or address conflict messages (e.g., from ARP), but the exhibit shows no such indication, and the issue is specific to a different subnet, not local communication. Option B is wrong because a corrupted hardware address (MAC) would prevent any Layer 2 communication, including ARP, and the interface would likely show errors or fail to link; the exhibit does not suggest hardware corruption. Option D is wrong because the subnet mask is /24 (255.255.255.0), which correctly defines the local network as 192.168.1.0/24; an incorrect mask would affect local subnet determination, but the problem is with reaching a different subnet (192.168.2.0/24), which requires a gateway, not a mask change.

15
MCQmedium

A DevOps team manages a Kubernetes cluster on premises. The security team requires that all communication between pods be encrypted. The team decides to use mutual TLS (mTLS). They are using a Linux-based control plane with etcd and kube-apiserver. The current setup uses self-signed certificates for the API server, but the team wants to implement a proper PKI with automated certificate renewal. They have a small budget and prefer open-source tools. Which solution should they implement?

A.Generate certificates using OpenSSL on the control plane and distribute them via Kubernetes secrets manually.
B.Install cert-manager in the cluster and configure an Issuer to sign certificates with automatic renewal.
C.Use Cloudflare's cfssl tool to set up a custom CA and push certificates to nodes via Ansible.
D.Deploy Hashicorp Vault with PKI backend and use the Vault agent sidecar.
AnswerB

cert-manager is designed for Kubernetes and provides automated certificate lifecycle management.

Why this answer

Option C is correct. cert-manager is a Kubernetes-native tool that automates certificate management and integrates with Let's Encrypt or internal CAs. Option A (OpenSSL manual scripts) is non-automated and error-prone. Option B (Hashicorp Vault) is powerful but complex and has a learning curve, though it's also valid; however, cert-manager is more lightweight for Kubernetes.

Option D (Cloudflare's cfssl) is an alternative but not as integrated with Kubernetes; cert-manager is the standard.

16
MCQeasy

An administrator has configured Samba as a domain member for an Active Directory environment. For user authentication via winbind, which daemon must be running?

A.smbd
B.samba
C.winbindd
D.nmbd
AnswerC

winbindd is required for user/group resolution from AD.

Why this answer

In a Samba domain member configuration for Active Directory, the winbindd daemon is responsible for resolving user and group information from the Windows domain and providing authentication services via the Winbind protocol. It communicates with the Active Directory domain controller using DCE/RPC and LDAP to map Windows SIDs to Unix UIDs/GIDs, enabling seamless user authentication. Without winbindd running, winbind-based authentication (e.g., via PAM or nsswitch) will fail, even if smbd and nmbd are active.

Exam trap

The trap here is that candidates often confuse the Samba suite daemons, assuming smbd handles all authentication tasks, but winbindd is the specific daemon required for AD domain member authentication and identity mapping.

How to eliminate wrong answers

Option A is wrong because smbd handles file and printer sharing (SMB/CIFS protocol) and user authentication via its own password backend, but it does not perform the domain member winbind resolution; it relies on winbindd for that. Option B is wrong because 'samba' is not a daemon but the overall suite name; the actual daemon for winbind functionality is winbindd. Option D is wrong because nmbd provides NetBIOS name service and browsing (NetBIOS over TCP/IP), which is unrelated to Active Directory user authentication via winbind.

17
Multi-Selecteasy

An administrator needs to add a static route to the destination network 192.168.100.0/24 via gateway 10.0.0.1. Which TWO of the following commands accomplish this? (Choose two.)

Select 2 answers
A.ip route add 192.168.100.0/24 via 10.0.0.1
B.nmcli connection modify eth0 +ipv4.routes "192.168.100.0/24 10.0.0.1"
C.ifconfig eth0:1 192.168.100.1 netmask 255.255.255.0
D.iptables -A FORWARD -s 192.168.100.0/24 -j ACCEPT
E.route add -net 192.168.100.0/24 gw 10.0.0.1
AnswersA, E

The ip command adds the static route.

Why this answer

Option A is correct because the `ip route add` command is the modern Linux utility for adding static routes, specifying the destination network and gateway via the `via` keyword. Option E is correct because the legacy `route add -net` command also adds a static route, using the `gw` parameter to define the gateway, and both commands achieve the same result of adding a route to 192.168.100.0/24 via 10.0.0.1.

Exam trap

The trap here is that candidates often confuse adding a static route with adding an IP address to an interface (Option C) or with a firewall rule (Option D), and they may overlook that `nmcli` requires an additional activation step to apply the route immediately.

18
MCQhard

An administrator needs to configure an NFS client to mount an export from an NFSv4 server that requires Kerberos authentication. The client should mount the export at boot time. Which of the following must be ensured for the mount to succeed automatically?

A.The client must have a valid keytab for its host principal.
B.The NFS server must have the same hostname as the client.
C.The user must run kinit before mounting.
D.The mount must be performed via an autofs map.
AnswerA

The system keytab allows the client to authenticate without user interaction.

Why this answer

For an NFSv4 client to automatically mount an export requiring Kerberos authentication at boot time, the client must possess a valid keytab file containing its host principal (e.g., nfs/client.example.com@REALM). This keytab allows the system to obtain Kerberos credentials without interactive user input, enabling the kernel's NFS client to authenticate to the server during the mount process. Without a keytab, the mount would fail because no user is present to run kinit, and the system lacks the cryptographic material to prove its identity.

Exam trap

The trap here is that candidates may think running kinit manually or using autofs can substitute for a keytab, but the keytab is the only mechanism that provides non-interactive, boot-time Kerberos authentication for NFS mounts.

How to eliminate wrong answers

Option B is wrong because the NFS server and client do not need to have the same hostname; Kerberos authentication relies on service principal names (SPNs) and DNS resolution, not matching hostnames. Option C is wrong because kinit is an interactive command that requires a user to enter a password, which cannot occur at boot time; the keytab mechanism is designed to provide non-interactive authentication. Option D is wrong because autofs is a method for on-demand mounting and does not inherently solve the Kerberos credential problem; even with autofs, a valid keytab is still required for Kerberos-authenticated mounts.

19
Multi-Selecteasy

A system administrator wants to enforce key-based SSH authentication for all users on a server, disabling password authentication. Which two commands must be executed to achieve this? (Choose TWO.)

Select 2 answers
A.sshd -T
B.visudo
C.ssh-keygen -t rsa -b 4096
D.chmod 600 ~/.ssh/authorized_keys
E.ssh-copy-id user@server
AnswersC, E

Generates the SSH key pair.

Why this answer

The correct options are A and D. ssh-keygen generates the key pair, and ssh-copy-id copies the public key to the remote server. Option B (chmod 600) is for file permissions, C (sshd -T) tests the configuration, and E (visudo) edits sudoers.

20
Multi-Selectmedium

Which TWO commands can be used to rebuild the initramfs on modern Linux systems? (Choose two.)

Select 2 answers
A.dracut -f
B.mkinitrd
C.update-initramfs -u
D.grub-mkconfig
E.mkinitramfs
AnswersA, C

Correct for Red Hat-based systems.

Why this answer

Option A is correct because `dracut -f` forces the regeneration of the initramfs on modern Red Hat–based distributions (e.g., RHEL, CentOS, Fedora). Option C is correct because `update-initramfs -u` updates the initramfs on Debian/Ubuntu systems by rebuilding the current kernel's initramfs image. Both commands are the standard tools for rebuilding the initial RAM filesystem on their respective distributions.

Exam trap

The trap here is that candidates often confuse `mkinitrd` (legacy) with `dracut` or `update-initramfs`, or mistakenly think `grub-mkconfig` rebuilds the initramfs when it only updates the bootloader menu.

21
MCQmedium

An administrator sets up a Samba server with 'security = user'. Users are stored in the local smbpasswd file. After changing a user's Unix password, the user cannot access Samba shares. What should the administrator do?

A.Add the user to the 'valid users' list.
B.Run 'smbpasswd username' to set the SMB password.
C.Restart the smbd service.
D.Run 'pdbedit -u username' to modify the password.
AnswerB

Correct; SMB passwords are independent of Unix passwords and must be set explicitly.

Why this answer

When Samba is configured with 'security = user', each user must have a separate SMB password stored in the smbpasswd file (or the tdbsam backend). Changing the Unix password does not automatically update the SMB password. Running 'smbpasswd username' sets the SMB password for that user, allowing them to authenticate to Samba shares.

Exam trap

The trap here is that candidates assume changing the Unix password automatically updates the Samba password, or that restarting the service will synchronize them, when in fact they are stored in separate databases and must be updated independently.

How to eliminate wrong answers

Option A is wrong because the 'valid users' list controls which users are allowed to access a share, but it does not address the password mismatch; the user is already valid but cannot authenticate. Option C is wrong because restarting smbd does not change or synchronize passwords; it only reloads configuration and state. Option D is wrong because 'pdbedit -u username' is used to display or modify user database entries (e.g., account flags), not to set the password; the correct command to set the password is 'smbpasswd'.

22
MCQeasy

After modifying /etc/samba/smb.conf, which command should be used to verify the syntax before restarting the Samba service?

A.nmblookup
B.testparm
C.smbclient
D.smbstatus
AnswerB

testparm validates the smb.conf syntax and prints the effective configuration.

Why this answer

The `testparm` command is specifically designed to parse and validate the syntax of the Samba configuration file `/etc/samba/smb.conf`. It checks for errors such as misspelled parameters, invalid values, or structural issues without requiring the Samba services to be running. This makes it the correct tool to verify syntax before restarting Samba.

Exam trap

The trap here is that candidates may confuse `testparm` with diagnostic tools like `smbstatus` or `nmblookup`, assuming any Samba-related command can verify configuration, when only `testparm` is designed for that specific purpose.

How to eliminate wrong answers

Option A is wrong because `nmblookup` is used for NetBIOS name resolution queries against WINS servers or broadcasts, not for checking Samba configuration syntax. Option C is wrong because `smbclient` is an FTP-like client for accessing SMB/CIFS shares on remote servers; it does not parse or validate the local smb.conf file. Option D is wrong because `smbstatus` reports current Samba connections, open files, and locked files, but it does not perform any configuration syntax checking.

23
Multi-Selectmedium

Which TWO commands can be used to display the routing table on a Linux system?

Select 2 answers
A.route -n
B.ss -r
C.ip link show
D.ip route show
E.netstat -r
AnswersA, D

Displays routing table numerically.

Why this answer

The `route -n` command displays the kernel IP routing table with numeric addresses, avoiding DNS lookups for faster output. It is a traditional tool that directly reads the /proc/net/route file to show destination, gateway, netmask, and interface information. This makes it a valid and commonly used command for viewing the routing table on Linux.

Exam trap

The trap here is that candidates often confuse `ss -r` with a routing command, but `ss` is for socket statistics and `-r` resolves hostnames, not routes; similarly, `ip link show` is mistaken for a routing command when it only shows link-layer interfaces.

24
MCQhard

A Linux server in a DMZ hosts a custom web application that listens on TCP port 8080. The server is also configured with SSH on port 22 for remote administration. Recently, the security team noticed an increase in brute-force attacks against SSH from various external IPs. The server runs Fedora with firewalld as the firewall service. The current firewalld default zone is 'public', and the SSH service is allowed in the 'public' zone. The administrator wants to mitigate the brute-force attacks without blocking legitimate users. Additionally, the administrator wants to ensure that only specific administrative IP addresses can initiate SSH connections, and that SSH connections are rate-limited to prevent flooding. The administrator also needs to keep the web application accessible from any external IP. Which course of action best meets these requirements?

A.Move SSH to a non-standard port (e.g., 2222) and update the firewalld service definition accordingly.
B.Use iptables to create a whitelist for SSH, and install fail2ban to rate-limit after 3 failures.
C.Change the default zone to 'drop', then add a rich rule to allow SSH only from the administrative network.
D.Add a firewalld rich rule to allow SSH only from specific source IPs, and add a rich rule to limit connection rate for SSH. Keep the web application in the same zone with the appropriate service.
AnswerD

Rich rules provide granular control; direct rule syntax allows whitelist and rate limit.

Why this answer

Option C is correct because it uses firewalld's rich rules to create a whitelist for SSH and a rate limit. This directly meets the requirements without changing zones. Option A is wrong because changing the default zone to drop would also block HTTP (web app).

Option B is wrong because iptables commands are outside firewalld and may conflict; also fail2ban does not whitelist IPs easily. Option D is wrong because moving SSH to another port does not prevent brute-force, just changes the target.

25
MCQhard

An administrator needs to ensure a kernel module is never loaded, even if requested. Which file should be used?

A./etc/modprobe.d/deny.conf
B./etc/modprobe.d/blacklist.conf
C./lib/modprobe.d/blacklist.conf
D./etc/modules-load.d/blacklist.conf
AnswerB

Adding 'blacklist <module>' to a .conf file in /etc/modprobe.d/ prevents the module from being loaded automatically.

Why this answer

Option B is correct because the standard mechanism to prevent a kernel module from loading is to add a `blacklist` directive in a file under `/etc/modprobe.d/`, typically named `blacklist.conf`. The `modprobe` utility reads all `.conf` files in this directory, and a `blacklist <module_name>` entry ensures the module is never automatically loaded or loaded via `modprobe`, even if explicitly requested.

Exam trap

The trap here is that candidates confuse the purpose of `/etc/modprobe.d/` (for module options and blacklisting) with `/etc/modules-load.d/` (for loading modules at boot), leading them to choose Option D, which is for loading, not blocking.

How to eliminate wrong answers

Option A is wrong because `/etc/modprobe.d/deny.conf` is not a standard file name; the correct directive is `blacklist`, not `deny`, and the file name is arbitrary but conventionally `blacklist.conf`. Option C is wrong because `/lib/modprobe.d/` is a distribution-provided directory for default settings, not intended for administrator customizations; user modifications should go in `/etc/modprobe.d/` to override defaults. Option D is wrong because `/etc/modules-load.d/` is used to specify modules to load at boot via `systemd-modules-load.service`, not to blacklist modules; blacklisting is handled by `modprobe.d`.

26
MCQmedium

A laptop user frequently moves between different networks. The administrator wants the DNS configuration to update automatically when the laptop connects to a new network via DHCP. Which service or tool is most appropriate for this task?

A.NetworkManager
B.systemd-resolved
C.dhcpcd
D.resolvconf
AnswerA

NetworkManager handles DNS configuration dynamically when network changes occur.

Why this answer

NetworkManager is the most appropriate tool because it is designed to manage network connections on modern Linux systems, automatically detecting network changes and reconfiguring DNS settings based on DHCP-provided information. It integrates with various backends (e.g., systemd-resolved, resolvconf) to update the system's DNS configuration dynamically, making it ideal for a laptop that frequently moves between networks.

Exam trap

The trap here is that candidates often confuse systemd-resolved as a standalone solution for dynamic DNS updates, but it requires a network manager like NetworkManager to trigger the reconfiguration when the network changes.

How to eliminate wrong answers

Option B (systemd-resolved) is wrong because it is a DNS resolver and caching service, not a network connection manager; it relies on an external tool like NetworkManager to trigger DNS updates when the network changes. Option C (dhcpcd) is wrong because it is a DHCP client that can configure DNS, but it lacks the broader network management capabilities (e.g., handling multiple interfaces, Wi-Fi profiles) needed for a mobile laptop user, and it is not typically used as the primary network manager on modern distributions. Option D (resolvconf) is wrong because it is a framework for managing /etc/resolv.conf updates, but it does not handle network detection or DHCP itself; it requires another service (like NetworkManager or dhcpcd) to provide the DNS information.

27
MCQeasy

A Samba share is configured with 'writable = no'. What does this mean?

A.The share is read-only.
B.Users can read and write.
C.Only root can write.
D.Write access depends on Unix permissions.
AnswerA

Correct; write access is denied.

Why this answer

When a Samba share is configured with 'writable = no', it explicitly denies write access to the share at the Samba level, regardless of underlying Unix file permissions. This directive overrides any other settings (like 'write list') and makes the share read-only for all clients connecting via SMB/CIFS protocols. The correct interpretation is that the share is read-only, which matches option A.

Exam trap

The trap here is that candidates often confuse Samba-level directives with Unix file permissions, assuming that if Unix permissions allow write, the share must be writable, but Samba's 'writable = no' is a higher-priority setting that overrides Unix permissions at the protocol level.

How to eliminate wrong answers

Option B is wrong because 'writable = no' explicitly prevents writing, so users cannot both read and write. Option C is wrong because 'writable = no' applies to all users, including root; root's write access is not special in Samba unless overridden by 'admin users' or 'force user' directives, but the default behavior denies write to everyone. Option D is wrong because 'writable = no' is a Samba-level setting that takes precedence over Unix permissions; even if Unix permissions allow write, Samba will deny it at the protocol level.

28
MCQmedium

A system administrator needs to configure an NFS client to automatically mount an exported filesystem from a remote server whenever a user accesses the mount point. Which configuration approach is most appropriate?

A.Configure automount using autofs with an indirect map.
B.Add an entry to /etc/fstab with the 'defaults' option.
C.Use the 'mount -t nfs' command each time a user needs access.
D.Place a mount command in /etc/rc.local.
AnswerA

autofs mounts NFS shares on demand, reducing dependency on server availability.

Why this answer

Option A is correct because autofs with an indirect map allows the NFS filesystem to be mounted on-demand when a user accesses the mount point, and automatically unmounted after a period of inactivity. This is the standard Linux approach for dynamic, on-demand NFS mounting without requiring a persistent entry in /etc/fstab or manual intervention.

Exam trap

The trap here is that candidates often confuse on-demand mounting (autofs) with persistent mounting (/etc/fstab) or manual mounting, and may incorrectly assume that /etc/rc.local is a valid modern solution for automatic mounting.

How to eliminate wrong answers

Option B is wrong because adding an entry to /etc/fstab with the 'defaults' option causes the NFS filesystem to be mounted at boot time and remain mounted indefinitely, not on-demand when a user accesses the mount point. Option C is wrong because using 'mount -t nfs' each time a user needs access is not automated and requires manual intervention or scripting, defeating the purpose of automatic mounting. Option D is wrong because placing a mount command in /etc/rc.local mounts the filesystem at boot (similar to /etc/fstab), not on-demand, and /etc/rc.local is deprecated in modern systemd-based distributions.

29
MCQhard

Traffic from the 10.1.1.0/24 subnet is seen leaving through eth1 as intended, but reply traffic from the internet never comes back. What is the most likely cause?

A.The kernel parameter net.ipv4.conf.all.rp_filter is set to 1.
B.The ip rule priority is not set, causing it to be overridden.
C.The default route in table 200 points to 172.16.0.1 which does not have a route back to 10.1.1.0/24.
D.The router does not have a route back to 10.1.1.0/24 via eth0.
AnswerA

Strict reverse path filtering drops packets arriving on an interface that would not be used to reach the source, which commonly happens in asymmetric routing scenarios.

Why this answer

When `net.ipv4.conf.all.rp_filter` is set to 1, the kernel performs strict reverse path filtering. This means the kernel checks whether the source address of incoming packets can be reached via the interface they arrived on. If reply traffic from the internet arrives on an interface (e.g., eth0) that does not have a route back to the original source subnet (10.1.1.0/24) through that same interface, the kernel drops the packet.

This is the most likely cause because the outbound traffic leaves via eth1, but the reply comes back on a different interface, triggering the rp_filter check and causing the reply to be silently discarded.

Exam trap

The trap here is that candidates often assume the issue is a missing return route or a routing table misconfiguration, but the real culprit is the kernel's reverse path filtering, which silently drops packets that arrive on an interface that is not the best path back to the source.

How to eliminate wrong answers

Option B is wrong because ip rule priority is only relevant when multiple routing policies exist; if no other rules conflict, the rule will still be applied regardless of priority, and a missing priority does not cause traffic to be dropped. Option C is wrong because the default route in table 200 pointing to 172.16.0.1 is used for outbound traffic; if the router has a route back to 10.1.1.0/24 via eth0, the reply traffic would still reach the router, but the rp_filter drop would occur before the route is consulted. Option D is wrong because the router does not need a route back to 10.1.1.0/24 via eth0; the reply traffic is destined to 10.1.1.x, and the router only needs a route to forward that traffic back to the internal network, which is typically a directly connected subnet or a static route via the internal interface (e.g., eth1), not eth0.

30
MCQhard

A Samba share is used by macOS clients. File names with special characters (e.g., ©) appear garbled. Which parameter should be added to the share configuration?

A.vfs objects = catia
B.dos charset = CP850
C.mangled names = yes
D.fruit:aapl = yes
AnswerD

Correct; enables Apple Filing Protocol extensions for proper file name handling.

Why this answer

Option D is correct because the `fruit:aapl = yes` parameter enables the Samba VFS module for macOS (Apple Filing Protocol) compatibility, which handles special characters like © by mapping them to Unicode-compatible representations that macOS clients expect. Without this, macOS clients may misinterpret or garble filenames with non-ASCII characters when accessing Samba shares.

Exam trap

The trap here is that candidates often confuse character encoding issues with filesystem mangling or DOS code pages, but the real solution for macOS clients is the fruit VFS module's AAPL extension, not legacy charset parameters.

How to eliminate wrong answers

Option A is wrong because `vfs objects = catia` is used for handling special characters in filenames on systems that require CAD/CAM compatibility, not for macOS client character encoding issues. Option B is wrong because `dos charset = CP850` sets the DOS code page for SMB1 protocol, but macOS clients use SMB2/3 and Unicode, so this parameter does not address the garbling of special characters like ©. Option C is wrong because `mangled names = yes` controls how Samba handles long filenames by truncating them, not how special characters are encoded or displayed.

31
Multi-Selectmedium

Which TWO of the following commands are used to load a kernel module manually at runtime? (Choose two.)

Select 2 answers
A.loadmod
B.depmod
C.modprobe
D.modload
E.insmod
AnswersC, E

Loads a module by name, automatically resolving dependencies.

Why this answer

Both `modprobe` and `insmod` are standard Linux commands for manually loading kernel modules at runtime. `modprobe` is preferred because it automatically resolves and loads module dependencies, while `insmod` inserts a single module file directly without dependency resolution.

Exam trap

The trap here is that candidates may confuse `depmod` (which only builds dependency metadata) with a module-loading command, or assume `loadmod` or `modload` are valid Linux utilities when they are not.

32
MCQmedium

A Samba administrator notices that Windows clients cannot access a shared directory. The share is defined in smb.conf as follows: [shared] path = /srv/samba/shared valid users = @staff browseable = yes read only = no The /srv/samba/shared directory has permissions 755 and is owned by root:staff. Which is the most likely cause of the access issue?

A.The 'valid users' parameter is misspelled
B.The share is defined as browseable but not listed
C.SELinux is blocking access and must be disabled
D.The 'staff' group lacks write permission on the directory
AnswerD

755 gives owner rwx, group r-x, others r-x. Group cannot write.

Why this answer

The 'staff' group lacks write permission on the directory because the directory has permissions 755, which grants write access only to the owner (root). Even though the share is defined as 'read only = no', Samba enforces filesystem-level permissions. Since the 'valid users = @staff' restricts access to members of the staff group, they need write permission on the directory to create or modify files.

The group 'staff' has only read and execute permissions (r-x), so write operations fail.

Exam trap

The trap here is that candidates assume Samba's 'read only = no' alone grants write access, overlooking that Linux filesystem permissions are enforced independently and must also allow write for the effective user or group.

How to eliminate wrong answers

Option A is wrong because 'valid users' is correctly spelled in the configuration; a misspelling would cause a syntax error or be ignored, but the issue here is permissions. Option B is wrong because 'browseable = yes' means the share appears in network browsing lists, and there is no parameter 'listed' in Samba; this option describes a non-existent problem. Option C is wrong because while SELinux can block Samba access, it is not the most likely cause given the explicit permission mismatch; disabling SELinux is an extreme and unnecessary step, and the question asks for the most likely cause.

33
Drag & Dropmedium

Order the steps to configure a Linux system to use LDAP for authentication.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

Install packages, configure LDAP client, modify nsswitch, modify PAM, then restart and test.

34
MCQeasy

Refer to the exhibit. A system administrator wants to replace disk sdb1 in the RAID1 array. After physically removing sdb, which sequence of commands should be used?

A.mdadm /dev/md0 --remove /dev/sdb1; mdadm /dev/md0 --add /dev/sdd1
B.mdadm /dev/md0 --fail /dev/sdb1; mdadm /dev/md0 --remove /dev/sdb1; mdadm /dev/md0 --add /dev/sdd1
C.mdadm /dev/md0 --fail /dev/sdb1; mdadm /dev/md0 --remove /dev/sdb1; mdadm --grow /dev/md0 --add /dev/sdd1; mdadm --manage /dev/md0 --run
D.mdadm /dev/md0 --fail /dev/sdb1; mdadm /dev/md0 --remove /dev/sdb1; mdadm /dev/md0 --add /dev/sdd1; mdadm --manage /dev/md0 --run
AnswerD

Proper sequence: fail, remove, add, run.

Why this answer

Option D is correct because after physically removing the failed disk (sdb), the administrator must first mark the device as failed using `--fail`, then remove it with `--remove`, add the new disk (sdd1) with `--add`, and finally run `--run` to ensure the array is activated if it was stopped or degraded. The `--run` flag is necessary because a RAID1 array with a missing device may not automatically start; this command forces the array to become active so the rebuild can begin.

Exam trap

The trap here is that candidates often forget the `--run` step, assuming the array will automatically start after adding a new disk, or they mistakenly use `--grow` for adding a replacement disk instead of `--add`.

How to eliminate wrong answers

Option A is wrong because it attempts to remove a device without first marking it as failed; `mdadm --remove` on an active device will fail unless the device is already failed or spare. Option B is wrong because it omits the `--run` command; after removing the failed disk and adding a new one, the array may remain in a stopped or degraded state and will not automatically start, preventing the rebuild. Option C is wrong because it incorrectly uses `--grow` instead of `--add` for adding a disk to a RAID1 array; `--grow` is used for reshaping arrays (e.g., changing RAID level or number of devices), not for adding a replacement disk, and the `--manage` flag with `--run` is redundant since `mdadm /dev/md0 --run` is the correct syntax.

35
MCQeasy

After installing a new kernel, the system administrator notices that the system boots to the old kernel by default. Which command should be used to update the GRUB configuration to boot the new kernel?

A.grub-install
B.mkinitrd
C.grub-set-default
D.update-grub
AnswerD

update-grub regenerates the GRUB configuration file.

Why this answer

The `update-grub` command (which is a wrapper for `grub-mkconfig -o /boot/grub/grub.cfg`) scans the installed kernels and regenerates the GRUB configuration file, automatically setting the newest kernel as the default boot entry. This ensures the system boots the newly installed kernel on the next reboot.

Exam trap

The trap here is that candidates confuse `grub-install` (which installs the bootloader) with updating the boot menu, or think `grub-set-default` can automatically detect and set the new kernel as default without regenerating the configuration.

How to eliminate wrong answers

Option A is wrong because `grub-install` installs GRUB to the Master Boot Record (MBR) or EFI System Partition (ESP), but does not update the boot menu entries or change the default kernel selection. Option B is wrong because `mkinitrd` (or `dracut`) creates an initial RAM disk image for a specific kernel, but does not modify the GRUB configuration or default boot order. Option C is wrong because `grub-set-default` sets the default boot entry by index or name in the saved default mechanism, but it does not scan for new kernels or regenerate the configuration file; it only changes the default selection within the existing menu.

36
MCQmedium

A Linux server with two NICs bonded in mode 1 (active-backup) was working correctly until a switch was replaced. Now, although both interfaces are up, the bond always shows only one active slave, and if that slave fails, traffic does not fail over. The bonding configuration uses miimon=100 and neither arp_interval nor arp_ip_target is set. You run 'cat /proc/net/bonding/bond0' and see that the MII status of both slaves is 'up' but the link failures count is 0 for the backup slave. What is the most likely cause, and which parameter should be adjusted?

A.Change bonding mode to mode 4 (802.3ad) with LACP.
B.Use ifenslave to manually reassign the backup slave.
C.Decrease miimon to 50 for faster detection.
D.Configure arp_interval and arp_ip_target to enable ARP monitoring.
AnswerD

ARP monitoring can detect reachability of a gateway, catching switch-level issues.

Why this answer

Option D is correct because without ARP monitoring (arp_interval and arp_ip_target), the bond relies solely on MII status to detect link failures. MII monitoring only detects physical link loss at the NIC level, not upstream switch failures or misconfigurations. In this scenario, the switch replacement likely caused a layer-2 or layer-3 issue that does not bring the NIC link down, so MII reports 'up' but traffic cannot pass.

Enabling ARP monitoring forces the bond to verify reachability of a target IP, triggering failover when ARP replies are lost.

Exam trap

The trap here is that candidates assume MII monitoring is sufficient for all failover scenarios, overlooking that MII only detects physical link loss, not upstream network failures that leave the NIC link up but break connectivity.

How to eliminate wrong answers

Option A is wrong because mode 4 (802.3ad) requires LACP support on the switch and both sides to negotiate a LAG; it does not solve a failover detection problem caused by a switch replacement that leaves MII status up. Option B is wrong because manually reassigning the backup slave with ifenslave does not address the root cause—the bond's failure detection mechanism is inadequate, and manual intervention would not provide automatic failover. Option C is wrong because decreasing miimon to 50 would only speed up MII polling, but since MII already reports 'up' and link failures count is 0, faster polling cannot detect the upstream failure that prevents traffic from passing.

37
MCQmedium

An organization requires that all email traffic from their mail server must be encrypted in transit. Which of the following is the most appropriate solution?

A.Implement IPsec to encrypt all traffic between mail servers.
B.Use SMTPS (SMTP over SSL) on port 465.
C.Configure the mail server to use SSH tunneling for all SMTP connections.
D.Enable STARTTLS on the SMTP server to encrypt connections.
AnswerD

STARTTLS upgrades plain SMTP to encrypted using TLS.

Why this answer

STARTTLS is the standard method for upgrading a plaintext SMTP connection to an encrypted one using TLS, as defined in RFC 3207. It allows the mail server to negotiate encryption on the standard SMTP port (25) or submission port (587), ensuring that email traffic is encrypted in transit without requiring a separate port or protocol. This is the most appropriate solution because it is widely supported, interoperable, and aligns with modern email security best practices.

Exam trap

The trap here is that candidates often confuse SMTPS (port 465) with STARTTLS, believing that using a dedicated SSL port is more secure, when in fact STARTTLS is the modern, standardized approach that allows encryption on standard ports and is required for compliance with many security frameworks.

How to eliminate wrong answers

Option A is wrong because IPsec encrypts all traffic at the network layer, which is overkill for email and introduces significant complexity in configuration and key management; it is not a standard solution for SMTP encryption. Option B is wrong because SMTPS on port 465 is a deprecated protocol that was never standardized by the IETF; it uses SSL/TLS from the start, which breaks compatibility with many mail servers and clients that expect STARTTLS negotiation. Option C is wrong because SSH tunneling requires an SSH server on the mail server and manual setup for each connection, which is impractical for a production mail server handling many concurrent connections; it also does not provide native SMTP encryption and adds unnecessary overhead.

38
Matchingmedium

Match each RAID level to its description.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Striping without redundancy

Mirroring for redundancy

Striping with distributed parity

Striping with double distributed parity

Mirrored stripes combining RAID 1 and RAID 0

Why these pairings

RAID levels provide different performance and redundancy trade-offs.

39
MCQeasy

An administrator wants to restrict SSH access to a server so that only users from the domain 'example.com' can connect. Which file and syntax should be used with TCP Wrappers?

A.Add to /etc/hosts.deny: sshd: ALL
B.Add to /etc/hosts.allow: ALL: .example.com
C.Add to /etc/hosts.allow: sshd: .example.com
D.Add to /etc/hosts.allow: sshd: ALLOW .example.com
AnswerC

Allows SSH connections from example.com domain.

Why this answer

Option C is correct because TCP Wrappers uses hosts.allow and hosts.deny. The syntax 'sshd: ALLOW .example.com' is incorrect; the correct syntax is 'sshd: .example.com' in hosts.allow. Option A is wrong because hosts.deny is for denying; but the question asks to allow only.

Option B is wrong because the syntax is reversed. Option D is wrong because 'sshd: ALLOW .example.com' is not valid syntax.

40
MCQmedium

A company's file server uses NFS to export /data to clients. An administrator configures an NFS client by running 'mount -t nfs fileserver:/data /mnt/data'. The mount succeeds and the user can read files. However, after a network interruption, the client system becomes unresponsive when a user attempts to access /mnt/data. Which action should the administrator take to prevent this issue in the future?

A.Add the 'intr' mount option to allow signal interrupts.
B.Add the 'soft' option to the mount command: 'mount -t nfs -o soft fileserver:/data /mnt/data'.
C.Increase the timeout value with 'timeo=600' and keep the hard mount.
D.Use the 'noac' option to disable attribute caching.
AnswerB

Soft mounts timeout and fail gracefully.

Why this answer

Option B is correct because using a 'soft' mount causes NFS operations to return an error to the calling application after a timeout, rather than hanging indefinitely. This prevents the client system from becoming unresponsive when the NFS server is unreachable, as the kernel will not retry the request forever. The default 'hard' mount (used in the original command) will keep retrying until the server responds, which can block processes and make the system appear frozen.

Exam trap

The trap here is that candidates often confuse 'intr' as a valid solution for interrupting hung mounts, but modern kernels have deprecated it, making 'soft' the only reliable way to prevent client unresponsiveness during network failures.

How to eliminate wrong answers

Option A is wrong because the 'intr' mount option is deprecated in modern Linux kernels (since around kernel 2.6.25) and does not reliably allow signal interrupts to break a hung hard mount; it was historically used to allow manual interruption but is no longer effective. Option C is wrong because increasing the timeout with 'timeo=600' while keeping a 'hard' mount only delays the hang; the client will still become unresponsive after the longer timeout period if the server remains unreachable. Option D is wrong because 'noac' disables attribute caching, which can reduce performance but does not address the fundamental issue of a client hanging during network interruptions; it has no effect on the retry behavior of hard vs. soft mounts.

41
MCQhard

An administrator needs to configure Samba to use encrypted passwords via LDAP backend. The LDAP server is already set up with the necessary schema. Which passdb backend should be specified in smb.conf?

A.passdb backend = ldap:ldap://ldap.example.com
B.passdb backend = secret:ldap://ldap.example.com
C.passdb backend = sam:ldap://ldap.example.com
D.passdb backend = ldapsam:ldap://ldap.example.com
AnswerD

Correct syntax for LDAP passdb backend.

Why this answer

Option D is correct because the `ldapsam` passdb backend is the Samba module specifically designed to store and authenticate user accounts (including encrypted passwords) against an LDAP directory. The syntax `ldapsam:ldap://ldap.example.com` tells Samba to use the LDAP SAM (Security Account Manager) backend, which maps Samba's account attributes to LDAP entries using the standard Samba LDAP schema (e.g., sambaSamAccount).

Exam trap

The trap here is that candidates may recall that Samba uses 'ldap' as a general term for LDAP integration and incorrectly assume the backend name is simply `ldap`, but the actual required backend name is `ldapsam` to specifically indicate the SAM (Security Account Manager) module for user and password storage.

How to eliminate wrong answers

Option A is wrong because `ldap` is not a valid Samba passdb backend name; Samba uses `ldapsam` (or `ldapsam_compat`) for LDAP-based password storage, not a bare `ldap` keyword. Option B is wrong because `secret` is not a recognized passdb backend; it appears to confuse Samba's `secrets.tdb` file (which stores machine trust passwords) with a user authentication backend. Option C is wrong because `sam` refers to the built-in TDB-based SAM backend (e.g., `tdbsam`), not an LDAP backend; appending an LDAP URI to `sam` is syntactically invalid and would cause Samba to fail to load the backend.

42
MCQhard

An administrator is configuring nftables to log and drop packets from a specific IP. The rule must be added to the input hook. Which command accomplishes this?

A.nft add rule inet filter input ip saddr 10.0.0.5 log accept
B.nft add rule inet filter input ip saddr 10.0.0.5 log drop
C.nft add rule inet filter input ip saddr 10.0.0.5 log prefix "DROP" drop
D.nft add rule ip filter input ip saddr 10.0.0.5 drop
AnswerC

This is the correct syntax: log with a prefix and then drop.

Why this answer

The correct nftables command uses the input hook, specifies source IP, and includes log prefix and drop. Option B uses 'log prefix' which is incorrect syntax; C logs and accepts; D drops without logging.

43
MCQeasy

An administrator wants to automatically mount home directories from an NFS server when a user logs in. Which service should be configured?

A.rpcbind
B.smb
C.autofs
D.nfs
AnswerC

autofs mounts directories automatically upon access.

Why this answer

Autofs is the correct service because it provides on-demand mounting of NFS home directories triggered by user login. It uses the automount daemon to mount directories only when accessed, reducing network overhead and avoiding permanent mount entries in /etc/fstab. This is the standard Linux solution for dynamic NFS home directory mounting.

Exam trap

The trap here is that candidates confuse the underlying NFS protocol (option D) with the automounting service (autofs), or mistakenly think rpcbind (option A) handles the mounting logic, when in fact rpcbind only facilitates NFS communication and autofs is the dedicated service for on-demand mounts.

How to eliminate wrong answers

Option A is wrong because rpcbind is a service that maps RPC program numbers to network addresses, required for NFS communication but not responsible for automatic mounting. Option B is wrong because smb (Samba) provides file sharing via SMB/CIFS protocol, not NFS, and is unrelated to automounting NFS home directories. Option D is wrong because nfs refers to the NFS server or client kernel modules and utilities, which handle the actual file sharing protocol but do not provide automatic mounting on login; that requires a separate automounter like autofs.

44
MCQmedium

A small office network uses a Linux server running dnsmasq to provide DHCP and DNS services. The server runs Ubuntu with dnsmasq version 2.80. The configuration file /etc/dnsmasq.conf includes: 'interface=eth0', 'dhcp-range=192.168.1.100,192.168.1.200,12h', and no other DNS-related options. Clients receive IP addresses from the DHCP server and can access the internet. However, clients cannot ping other clients by hostname (e.g., 'ping workstation1' fails with NXDOMAIN). The dnsmasq logs show that DHCP requests are handled and the client hostnames are recorded. The administrator verifies that /etc/hosts contains only the localhost entry. Which of the following is the most likely cause?

A.The dnsmasq 'local' directive is not configured to treat local hostnames as authoritative.
B.The dnsmasq 'expand-hosts' option is not enabled.
C.The dnsmasq 'domain-needed' option is set, blocking local domain resolution.
D.The dnsmasq 'no-hosts' option is configured, ignoring /etc/hosts.
AnswerA

Without a local domain definition, dnsmasq forwards single-label queries upstream.

Why this answer

The correct answer is A because without the 'local' directive (or equivalent '--local' / 'localise-queries'), dnsmasq does not treat hostnames from DHCP leases as authoritative for DNS resolution. By default, dnsmasq only answers queries for names it knows from /etc/hosts or from upstream DNS, but it does not automatically resolve DHCP client hostnames unless explicitly told to do so via 'local' or 'domain' settings. Since the logs show hostnames are recorded but NXDOMAIN is returned, the missing 'local' directive is the most likely cause.

Exam trap

The trap here is that candidates often assume DHCP hostnames are automatically resolvable via DNS, but dnsmasq requires explicit configuration (like 'local' or 'domain') to enable this, and they may incorrectly attribute the issue to 'expand-hosts' or 'domain-needed' instead.

How to eliminate wrong answers

Option B is wrong because 'expand-hosts' only adds the domain suffix to hostnames listed in /etc/hosts, not to DHCP lease hostnames; it does not enable resolution of DHCP client hostnames. Option C is wrong because 'domain-needed' prevents forwarding queries for unqualified names (without a dot) to upstream DNS servers, but it does not block local resolution; in fact, it would cause dnsmasq to return NXDOMAIN for single-label names only if no local data exists, which is the symptom but the root cause is the missing 'local' directive. Option D is wrong because 'no-hosts' ignores /etc/hosts entirely, but the problem is about DHCP lease hostnames, not /etc/hosts entries; even if /etc/hosts were ignored, DHCP hostnames would still be unresolved without 'local'.

45
Multi-Selecthard

A Samba administrator needs to configure a share that allows only the user 'alice' and the group 'developers' to read and write files. Others should have no access. Which two parameters should be set in the share definition? (Choose two.)

Select 2 answers
A.valid users = alice, @developers
B.invalid users = alice, @developers
C.force user = alice
D.write list = alice, @developers
E.read list = alice, @developers
AnswersA, D

Restricts access to alice and members of the developers group.

Why this answer

The 'valid users' parameter restricts access to only the specified users and groups, so setting 'valid users = alice, @developers' ensures only alice and members of the developers group can connect to the share. The 'write list' parameter grants write access to the listed users and groups, overriding any read-only setting; combining it with 'valid users' ensures that alice and the developers group have both read and write permissions, while all others are denied access entirely.

Exam trap

The trap here is that candidates often confuse 'valid users' with 'write list' or think 'invalid users' can be used to deny everyone except the listed users, but 'invalid users' explicitly blocks those users rather than allowing them, and 'write list' alone does not restrict access to only those users.

46
MCQmedium

A company's Linux router uses iptables. The administrator needs to log all dropped packets (by default policy) before they are dropped. Where should the LOG rule be placed?

A.In the FORWARD chain with target LOG
B.In the INPUT chain before the drop rule
C.In a custom chain called LOGDROP and jump to it
D.In the FORWARD chain with -j LOG --log-prefix 'DROPPED' and then -j DROP
AnswerD

Logs and then explicitly drops packets that reached end of chain, emulating default policy for logging.

Why this answer

Option D is correct because the LOG rule must be placed in the FORWARD chain before the DROP action to log packets that are dropped by the default policy. In iptables, the LOG target does not terminate the rule; it logs the packet and then continues to the next rule. By placing `-j LOG --log-prefix 'DROPPED'` followed by `-j DROP`, the packet is logged before being explicitly dropped, ensuring that packets matching the default policy (which drops at the end of the chain) are captured in the log.

The FORWARD chain is the correct chain for a router handling traffic that is not destined for the router itself.

Exam trap

The trap here is that candidates often think the LOG rule must be placed in the INPUT chain (for incoming traffic) or that a custom chain is required, but the correct placement is in the FORWARD chain with an explicit DROP action after the LOG to ensure logging before the default policy drop.

How to eliminate wrong answers

Option A is wrong because placing the LOG rule in the FORWARD chain with only target LOG (without a subsequent DROP) would log the packet but then continue processing; if the default policy is DROP, the packet would still be dropped at the end of the chain, but the LOG rule would not be reached if the packet is matched by an earlier rule that drops it. Option B is wrong because the INPUT chain handles traffic destined for the router itself, not forwarded traffic; dropped packets in a router scenario occur in the FORWARD chain, so logging in INPUT would miss the relevant packets. Option C is wrong because while a custom chain can be used for logging and dropping, the question specifies that the administrator needs to log all dropped packets by the default policy; jumping to a custom chain would only log packets that match a specific rule, not those dropped by the default policy at the end of the chain.

47
Multi-Selecteasy

Which TWO commands can be used to query a Samba server for its available shares and workgroups?

Select 2 answers
A.net share
B.smbclient -L
C.smbstatus
D.testparm
E.nmblookup
AnswersB, E

Correct. smbclient -L lists shares on a specified server.

Why this answer

The `smbclient -L` command queries a Samba server for its available shares and workgroups by listing the server's exported resources. The `-L` option specifies the server to query, and it uses the SMB protocol to retrieve the share list and workgroup information from the remote Samba server.

Exam trap

The trap here is that candidates often confuse `smbclient -L` with `smbstatus` or `testparm`, thinking those commands also list remote shares, when in fact they only inspect local server state or configuration.

48
MCQmedium

Refer to the exhibit. The administrator wants to mount /dev/sdb1 at /data using its UUID. Which /etc/fstab entry is correct?

A./dev/sdb1 /data ext4 defaults 0 0
B.PARTUUID=ijkl-9012 /data ext4 defaults 0 0
C.UUID=12345678-01 /data ext4 defaults 0 0
D.UUID=ijkl-9012 /data ext4 defaults 0 0
AnswerD

This entry uses the correct filesystem UUID from blkid.

Why this answer

Option D is correct because the administrator wants to mount /dev/sdb1 using its UUID, and the exhibit (not shown) indicates that the UUID of /dev/sdb1 is 'ijkl-9012'. The correct /etc/fstab syntax uses the 'UUID=' prefix followed by the actual UUID value, the mount point, filesystem type, options, dump, and pass fields. This ensures the filesystem is identified by its universally unique identifier, which remains stable even if the device name changes.

Exam trap

The trap here is that candidates often confuse UUID (filesystem identifier) with PARTUUID (partition identifier) or mistakenly use the wrong UUID value from the exhibit, leading them to select an option with an incorrect or mismatched identifier.

How to eliminate wrong answers

Option A is wrong because it uses the device path /dev/sdb1, not the UUID, which defeats the purpose of mounting by UUID and makes the mount vulnerable to device name changes. Option B is wrong because it uses 'PARTUUID=' which refers to a partition table UUID (GPT partition identifier), not the filesystem UUID; this would mount the partition by its partition identifier rather than the filesystem UUID. Option C is wrong because it uses 'UUID=12345678-01', which is not the correct UUID for /dev/sdb1 as indicated in the exhibit (the correct UUID is 'ijkl-9012').

49
Multi-Selecthard

Which TWO network diagnostic steps should be performed to isolate a problem where a Linux server (IP 10.0.0.10/24) cannot reach a remote server (IP 192.168.1.50/24) while other hosts on the same subnet can reach it? Assume routing is properly configured.

Select 2 answers
A.Check the routing table on the remote server.
B.Ping the remote server from another host on the same subnet to verify connectivity.
C.Traceroute to the remote server from the affected server.
D.Check iptables rules for any OUTPUT chain that might be dropping packets.
E.Verify the ARP cache on the server for the default gateway.
AnswersD, E

Local firewall rules can block outbound traffic even if routing is correct.

Why this answer

Option D is correct because if the affected server can reach the remote server via other hosts on the same subnet, the issue is likely local to the affected server itself. Checking iptables rules on the OUTPUT chain can reveal whether a firewall rule is specifically dropping outbound packets destined for 192.168.1.50, which would not affect other hosts on the same subnet. This is a common cause of asymmetric connectivity problems where routing is otherwise properly configured.

Exam trap

The trap here is that candidates often assume a routing issue (Option A or C) when the problem is actually a local firewall or ARP issue, because the symptom 'cannot reach' is frequently misattributed to routing rather than to host-specific packet filtering or layer-2 resolution failures.

50
MCQeasy

Which of the following is a mail delivery agent (MDA)?

A.Postfix
B.Dovecot
C.Sendmail
D.Procmail
AnswerD

Procmail is a well-known MDA that filters and delivers email.

Why this answer

Procmail is a classic mail delivery agent (MDA) that receives messages from a mail transfer agent (MTA) and delivers them to a user's local mailbox, often applying filtering rules based on recipes. It operates after the MTA has accepted the message, making it the correct choice for an MDA.

Exam trap

The trap here is that candidates confuse MTAs (Postfix, Sendmail) and mail retrieval servers (Dovecot) with the specific role of an MDA, which is solely responsible for local delivery and filtering.

How to eliminate wrong answers

Option A is wrong because Postfix is a mail transfer agent (MTA) that routes and relays mail between servers, not a delivery agent. Option B is wrong because Dovecot is a mail delivery agent (MDA) only in the sense of delivering to IMAP/POP3 mailboxes, but it is primarily a mail retrieval and storage server (IMAP/POP3 daemon), not a traditional MDA like Procmail. Option C is wrong because Sendmail is an MTA that handles message transfer and routing, not local delivery.

51
MCQhard

A medium-sized company uses a Linux server as its internet gateway. The server runs Ubuntu 20.04 and has two network interfaces: eth0 (IP 192.168.1.1/24) connected to the internal LAN, and eth1 (DHCP client, obtains IP 203.0.113.10/24, gateway 203.0.113.1) connected to the ISP modem. The server uses iptables for NAT with the rule 'iptables -t nat -A POSTROUTING -o eth1 -j MASQUERADE'. IP forwarding is enabled (net.ipv4.ip_forward=1). Firewalld is running with the default zone set to 'public'. For the past week, internal clients on 192.168.1.0/24 have reported intermittent connectivity to external websites. The administrator notices that during the failures, packets sent to external websites leave the internal network (tcpdump on eth1 shows SYN), but the response SYN-ACK never reaches the client. The administrator checks that the iptables FORWARD chain has a default policy of ACCEPT and no restrictive rules. Which of the following is the most likely cause?

A.The server's routing table is missing a route back to the internal network.
B.The MASQUERADE rule is missing the source network specification.
C.The firewall is dropping incoming packets on eth1 due to default zone settings.
D.The default gateway on the internal clients is not set to the Linux server's internal IP.
AnswerC

Firewalld's public zone drops incoming SYN-ACK packets.

Why this answer

Firewalld, when running with the default zone set to 'public', applies a default 'reject' or 'drop' policy for incoming traffic on interfaces assigned to that zone. Since eth1 (the external interface) is likely assigned to the public zone, incoming SYN-ACK packets (which are part of established connections) are dropped by firewalld before they can be processed by iptables. This explains why tcpdump on eth1 shows outgoing SYN packets but no incoming SYN-ACK, even though iptables FORWARD chain is permissive.

Exam trap

The trap here is that candidates often focus on iptables rules and forget that firewalld, when running, can override iptables policies, especially with its default zone settings that drop incoming packets on external interfaces.

How to eliminate wrong answers

Option A is wrong because the server's routing table already has a route to the internal network (192.168.1.0/24) via eth0, and the default gateway is correctly set on eth1; missing a route back would cause all traffic to fail, not just intermittent failures. Option B is wrong because the MASQUERADE rule without a source specification works correctly for all outgoing traffic on eth1, as it dynamically masquerades any source IP; adding a source network specification is optional and not required for basic NAT functionality. Option D is wrong because if internal clients had the wrong default gateway, they would never be able to send packets to external websites at all, and the administrator confirms that SYN packets do leave eth1, indicating the clients' gateway is correctly set to 192.168.1.1.

52
Multi-Selecthard

Which THREE of the following are standard steps in compiling and installing a custom Linux kernel from source? (Choose three.)

Select 3 answers
A.make modules_install
B.make menuconfig
C.make install
D.make
E.make oldconfig
AnswersB, C, D

This step configures the kernel features and modules before compilation.

Why this answer

Option B is correct because `make menuconfig` is a standard step that launches a text-based menu-driven interface for configuring kernel options before compilation. This step allows the user to select which features, drivers, and modules to include in the kernel build, generating the `.config` file that guides the subsequent compilation.

Exam trap

The trap here is that candidates often confuse `make modules_install` as a core compilation step rather than a post-compilation installation step, and may overlook that `make install` is the standard step for installing the kernel image itself, while `make oldconfig` is a configuration update tool, not a standard step in a fresh build.

53
Multi-Selectmedium

Which TWO DHCP options are commonly used to provide network configuration to clients? (Choose two.)

Select 2 answers
A.routers
B.subnet-mask
C.ntp-servers
D.host-name
E.domain-name-servers
AnswersA, E

Provides default gateway.

Why this answer

Option A (routers) is correct because the DHCP option 3 (Router) provides the default gateway address to clients, enabling them to route traffic outside their local subnet. Option E (domain-name-servers) is correct because DHCP option 6 (Domain Name Server) supplies the DNS server addresses, allowing clients to resolve domain names. Both are essential for basic network connectivity and are almost universally configured in DHCP scopes.

Exam trap

LPI often tests the distinction between 'subnet mask' as a critical parameter versus a formal DHCP option number, leading candidates to select 'subnet-mask' because they know it is necessary, but the correct option name in the exam context is 'routers' and 'domain-name-servers' as the two most commonly configured options.

54
MCQhard

Refer to the exhibit. The output shows a DHCP exchange between a client (MAC 00:1a:2b:3c:4d:5e) and a server (192.168.1.1). The client is not obtaining an IP address. What is the most likely reason?

A.The client's /etc/dhcp/dhclient.conf contains a 'reject' statement that rejects offers from this server.
B.The DHCP server did not receive the client's request.
C.The DHCP server is not reachable from the client.
D.The client's MAC address is not authorized on the DHCP server.
AnswerA

If the client rejects the server, it will ignore the offer and continue sending requests.

Why this answer

Option A is correct because the DHCP client can be configured with a 'reject' statement in /etc/dhcp/dhclient.conf to ignore offers from specific servers. In this scenario, the client sends a DHCPDISCOVER, receives a DHCPOFFER from 192.168.1.1, but then does not proceed to DHCPREQUEST, indicating the offer was rejected locally. This matches the behavior of a reject rule, which causes the client to discard the offer without further communication.

Exam trap

The trap here is that candidates often assume DHCP failures are always server-side (e.g., authorization or reachability), overlooking client-side configuration files like dhclient.conf that can silently discard valid offers.

How to eliminate wrong answers

Option B is wrong because the exhibit shows the DHCP server received the client's DHCPDISCOVER and responded with a DHCPOFFER, proving the server is reachable and received the initial request. Option C is wrong because the DHCP server's DHCPOFFER was successfully transmitted to the client, as shown in the output, confirming bidirectional reachability. Option D is wrong because if the client's MAC address were unauthorized, the server would typically not respond with a DHCPOFFER at all, or would send a DHCPNAK; the presence of a DHCPOFFER indicates the server is willing to provide an address.

55
MCQmedium

A company runs a mixed environment with Linux and Windows clients. The Samba server is configured as a domain member for authentication. Users authenticate via Active Directory using winbind. Recently, the IT department implemented a new password policy that requires all users to change passwords every 90 days. After the policy took effect, several users report that they cannot access Samba shares from their Linux clients (using smbclient) even though they can log into their Windows desktops with the same credentials. The error message on Linux is 'session setup failed: NT_STATUS_LOGON_FAILURE'. The administrator runs 'wbinfo -a username%password' and it succeeds. What is the most likely cause?

A.The Samba server's krb5.conf is misconfigured for the new password policy.
B.The users' passwords contain characters that are not being encoded correctly by smbclient.
C.The Samba server's cached credentials for these users have expired and not been refreshed.
D.The Linux clients are using an older version of Samba that does not support the new password policy.
AnswerC

Winbind caches credentials; after a password change, the cache may be stale.

Why this answer

Option C is correct because when a Samba server is a domain member using winbind, it caches user credentials to reduce authentication traffic to the domain controller. After the new 90-day password policy, users changed their passwords on Windows, but the cached credentials on the Samba server were not refreshed. The `wbinfo -a` command succeeds because it contacts the domain controller directly, bypassing the cache, while `smbclient` fails because it uses the stale cached credentials, resulting in NT_STATUS_LOGON_FAILURE.

Exam trap

The trap here is that candidates assume `wbinfo -a` success means the Samba server is fully functional, overlooking that cached credentials can cause failures for tools that rely on the cache, such as `smbclient` or mount.cifs.

How to eliminate wrong answers

Option A is wrong because krb5.conf configuration affects Kerberos authentication, but the error message 'session setup failed: NT_STATUS_LOGON_FAILURE' indicates NTLM or password-based authentication failure, not a Kerberos ticket issue; the new password policy does not directly impact krb5.conf. Option B is wrong because smbclient handles character encoding correctly for standard ASCII and UTF-8 passwords; if encoding were the issue, `wbinfo -a` would also fail, but it succeeds. Option D is wrong because the password policy (90-day expiry) is enforced by Active Directory, not by the Samba client version; older Samba versions still support password changes and authentication as long as they are domain members.

56
MCQmedium

In a Samba domain member server, which file contains the SID to Unix ID mappings?

A./etc/group
B./var/lib/samba/winbindd_idmap.tdb
C./var/lib/samba/private/secrets.tdb
D./etc/passwd
AnswerB

Correct; this TDB file stores SID-to-UID/GID mappings.

Why this answer

B is correct because Samba domain member servers use the winbindd service to map Windows SIDs to Unix UIDs/GIDs, and these mappings are stored in the `winbindd_idmap.tdb` file located in `/var/lib/samba/`. This TDB (Trivial Database) file maintains the persistent ID mapping database, which is essential for translating between the two security identifier systems.

Exam trap

The trap here is that candidates often confuse the `secrets.tdb` file (which stores machine secrets) with the `winbindd_idmap.tdb` file (which stores ID mappings), leading them to select option C incorrectly.

How to eliminate wrong answers

Option A is wrong because `/etc/group` stores Unix group definitions and GID assignments, not SID-to-Unix ID mappings; it is a local system file unrelated to Samba's ID mapping. Option C is wrong because `/var/lib/samba/private/secrets.tdb` stores machine account passwords and domain secrets (like the machine SID), not the ID mapping database used by winbindd. Option D is wrong because `/etc/passwd` stores Unix user accounts and UIDs, and while winbindd can be configured to use it for fallback, it does not contain the actual SID-to-Unix ID mappings; those are maintained in the winbindd_idmap.tdb file.

57
Multi-Selecteasy

Which TWO statements about the DHCP client on Linux are correct?

Select 2 answers
A.The dhclient command can be used to release and renew a DHCP lease.
B.The /etc/dhcp/dhclient.conf file can specify the hostname the client sends to the server.
C.The dhclient-script is used to parse the /etc/resolv.conf file.
D.The dhcpcd daemon is the standard DHCP client on all Linux distributions.
E.The /etc/dhcpd.conf file configures the DHCP client.
AnswersA, B

Correct. dhclient can release and renew leases via commands like dhclient -r and dhclient.

Why this answer

The dhclient command is the standard DHCP client on many Linux distributions and can be used to release and renew leases. The /etc/dhcp/dhclient.conf file allows configuration of options such as the hostname sent by the client. Other options are incorrect: dhcpcd is not standard on all distributions, /etc/dhcpd.conf is for the server, and dhclient-script handles network interface configuration, not resolv.conf parsing.

58
MCQmedium

You are troubleshooting a Linux client that is unable to connect to the internet. The client is configured to use DHCP on interface eth0. The output of 'ip addr show eth0' shows that the interface has an IP address 192.168.1.100/24, but there is no default gateway. The output of 'ip route show' shows only the local subnet route. The DHCP server is at 192.168.1.1 and is functioning correctly. You have verified that the DHCP client (dhclient) is running, and the lease file /var/lib/dhclient/dhclient-eth0.leases exists and contains option routers 192.168.1.1. Which of the following commands should you run to resolve the issue?

A.systemctl restart networking
B.ip route del default
C.dhclient -r eth0 && dhclient eth0
D.ip route add default via 192.168.1.1
AnswerC

This releases the current lease and obtains a new one, which should reinstate the default gateway from the DHCP server.

Why this answer

Option C is correct because the DHCP client has already obtained a lease with the correct gateway (192.168.1.1), but the default route was not applied. Running `dhclient -r eth0` releases the current lease, and `dhclient eth0` renews it, forcing the client to re-apply all options from the lease, including the default gateway route. This is the standard way to reinitialize the interface's network configuration from the DHCP server without restarting the entire networking service.

Exam trap

The trap here is that candidates often choose the manual route addition (Option D) because it seems quick and effective, but the LPIC-2 exam expects you to understand that the proper troubleshooting step is to renew the DHCP lease to ensure all options are correctly applied, rather than applying a temporary fix that bypasses the DHCP client's configuration logic.

How to eliminate wrong answers

Option A is wrong because `systemctl restart networking` would restart all network interfaces and services, which is an overly broad action that could disrupt other network connections and is not necessary when only the default route is missing; it also may not reapply the DHCP gateway if the lease is still valid. Option B is wrong because `ip route del default` would delete the default route, but there is no default route present (as shown in the output), so this command would either fail or do nothing; it does not add the missing gateway. Option D is wrong because while `ip route add default via 192.168.1.1` would manually add the correct default route, it is a temporary workaround that does not address the underlying issue of why the DHCP client failed to apply the route; the proper solution is to renew the lease so the client correctly processes all DHCP options.

59
Drag & Dropmedium

Order the steps to configure a Linux system as an SSH server with key-based authentication.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

Install SSH server, configure it, generate keys, copy public key, restart and test.

60
MCQeasy

You are a system administrator at a small company. The network uses DHCP to assign IP addresses to clients. Recently, some users reported intermittent network connectivity issues. Upon investigation, you notice that the DHCP server is running on a Linux server with the ISC DHCP daemon. The server log shows many 'DHCPREQUEST' messages from a particular MAC address with frequent changes in requested IP addresses. Users with that MAC address are experiencing IP address conflicts and connectivity drops. What is the most likely cause and the best corrective action?

A.Increase the DHCP lease time to reduce the frequency of renewals.
B.Add a static DHCP mapping for the problematic MAC address to a reserved IP.
C.Identify the device with that MAC address and replace its network interface card.
D.Restart the DHCP daemon to clear the lease database.
AnswerC

The faulty NIC is likely sending multiple requests, causing conflicts. Replacing it resolves the issue.

Why this answer

The frequent DHCPREQUEST messages from the same MAC address requesting different IP addresses indicate a faulty network interface card (NIC) that is generating random or corrupted DHCP requests, likely due to hardware malfunction. Replacing the NIC eliminates the root cause by stopping the spurious traffic, whereas other options only mask symptoms or fail to address the hardware fault.

Exam trap

The trap here is that candidates often assume a software or configuration fix (like static mapping or lease adjustment) will solve what is actually a hardware failure, because the symptom appears as a DHCP protocol anomaly rather than a physical layer problem.

How to eliminate wrong answers

Option A is wrong because increasing the lease time would not stop the faulty NIC from sending erratic DHCPREQUESTs; it would only delay renewals, not prevent IP conflicts. Option B is wrong because adding a static DHCP mapping would reserve a specific IP for the MAC, but the faulty NIC would still generate conflicting requests for other IPs, causing lease database corruption and continued conflicts. Option D is wrong because restarting the DHCP daemon only clears the lease database temporarily; the faulty NIC will immediately generate new spurious requests, recreating the same problem.

61
MCQmedium

A new user has been added to the LDAP directory, but the user cannot log in. The admin confirms the LDAP server is reachable and the user entry exists. Which of the following is the most likely missing configuration?

A.The LDAP server does not have the correct schema for the user.
B.The nscd cache is stale and needs to be cleared.
C.The nsswitch.conf file should have 'ldap' before 'files' for passwd.
D.The PAM configuration does not include pam_ldap.
AnswerD

PAM is responsible for authentication; without pam_ldap, LDAP users cannot authenticate.

Why this answer

D is correct because even if the LDAP server is reachable and the user entry exists, the system must be configured to use LDAP for authentication. PAM (Pluggable Authentication Modules) controls how authentication is performed; without pam_ldap (or pam_ldap.so) in the PAM stack, the system will not consult the LDAP server during login, so authentication fails regardless of the LDAP directory contents.

Exam trap

The trap here is that candidates confuse name service resolution (nsswitch.conf) with authentication (PAM), assuming that if getent shows the user, login should work, but PAM is the gatekeeper for authentication and must be explicitly configured.

How to eliminate wrong answers

Option A is wrong because the schema defines the structure of entries (e.g., object classes and attributes), not whether authentication works; if the user entry exists, the schema is already in place. Option B is wrong because nscd caches name service lookups (e.g., user/group info), not authentication; a stale cache might cause getent to show old data, but it would not prevent login if PAM is correctly configured to query LDAP. Option C is wrong because the order in nsswitch.conf affects user/group resolution (e.g., getent passwd), not authentication; PAM is responsible for authentication, and even if 'ldap' is before 'files', without pam_ldap the login will still fail.

62
Multi-Selectmedium

A DNS administrator wants to implement DNSSEC on an authoritative zone. Which TWO resource records are essential for DNSSEC?

Select 2 answers
A.NSEC
B.DNSKEY
C.RRSIG
D.A
E.SOA
AnswersB, C

DNSKEY records hold the public key used to verify signatures.

Why this answer

DNSKEY and RRSIG are the two essential resource records for DNSSEC. The DNSKEY record holds the public signing key, while the RRSIG record contains the digital signature for each RRset, allowing resolvers to verify authenticity and integrity of the zone data.

Exam trap

The trap here is that candidates often confuse NSEC as essential because it is commonly associated with DNSSEC, but the question asks for records essential for DNSSEC itself, not for denial of existence.

63
Multi-Selecteasy

Which TWO commands can be used to list Samba shares on a remote server?

Select 2 answers
A.smbstatus
B.nmblookup -S server
C.net view \\server
D.findsmb
E.smbclient -L //server
AnswersD, E

Correct; findsmb queries the network for Samba servers and shares.

Why this answer

Option D is correct because `findsmb` is a utility that scans the local subnet for Samba/CIFS servers and lists their shares. Option E is correct because `smbclient -L //server` queries the specified remote server for its available shares using the SMB protocol, making it a direct and reliable method for listing shares.

Exam trap

The trap here is that candidates often confuse `nmblookup -S` with a share-listing command, when in fact it only resolves NetBIOS names and displays service type flags, not actual share names.

64
MCQhard

An administrator needs to configure a BIND DNS server to allow dynamic updates from a specific subnet (192.168.1.0/24) for the zone 'example.com'. The administrator must also ensure that the zone file is updated immediately after a dynamic update. Which configuration accomplishes this?

A.zone "example.com" { type master; file "db.example.com"; update-policy { grant 192.168.1.0/24 zonesub ANY; }; };
B.zone "example.com" { type master; file "db.example.com"; allow-transfer { 192.168.1.0/24; }; };
C.zone "example.com" { type master; file "db.example.com"; allow-update { 192.168.1.0/24; }; };
D.zone "example.com" { type master; file "db.example.com"; also-notify { 192.168.1.0/24; }; };
AnswerC

allow-update permits dynamic updates from the subnet. The zone file is updated immediately on each update.

Why this answer

Option C is correct because the `allow-update` statement in BIND explicitly permits dynamic DNS updates (RFC 2136) from specified sources, such as the subnet 192.168.1.0/24. Dynamic updates are written to the zone file immediately by default when using a master zone, ensuring the file is updated in real time.

Exam trap

The trap here is that candidates confuse `allow-update` with `allow-transfer` or `also-notify`, mistakenly thinking those directives enable dynamic updates, or they misapply `update-policy` syntax by using a subnet instead of a key-based identity.

How to eliminate wrong answers

Option A is wrong because `update-policy` uses a different syntax (e.g., `grant 192.168.1.0/24 zonesub ANY;` is invalid; `update-policy` requires a name-based identity like a TSIG key, not a subnet, and the `zonesub` subrule is not applicable here). Option B is wrong because `allow-transfer` controls zone transfers (AXFR/IXFR), not dynamic updates, so it does not permit DNS updates. Option D is wrong because `also-notify` specifies additional nameservers to notify of zone changes, but it does not allow dynamic updates.

65
MCQeasy

An administrator wants to disable the graphical splash screen during boot. What change should be made in /etc/default/grub?

A.Set GRUB_CMDLINE_LINUX="nosplash"
B.Remove 'quiet' from GRUB_CMDLINE_LINUX_DEFAULT
C.Set GRUB_TIMEOUT=0
D.Remove 'splash' from GRUB_CMDLINE_LINUX_DEFAULT
AnswerD

The 'splash' parameter enables the graphical splash screen; removing it disables it.

Why this answer

Option D is correct because the graphical splash screen during boot is controlled by the 'splash' kernel parameter. Removing 'splash' from GRUB_CMDLINE_LINUX_DEFAULT in /etc/default/grub disables the splash screen, allowing verbose boot messages to be displayed. This parameter is passed to the kernel via the bootloader, and its absence prevents the plymouth or similar splash service from activating.

Exam trap

The trap here is that candidates often confuse 'quiet' with 'splash', thinking that removing 'quiet' alone disables the splash screen, when in fact 'splash' is the specific parameter controlling the graphical boot animation.

How to eliminate wrong answers

Option A is wrong because 'nosplash' is not a valid kernel parameter; the correct parameter to disable the splash screen is the absence of 'splash', not a negative parameter. Option B is wrong because removing 'quiet' only enables verbose kernel messages but does not disable the splash screen; the splash screen can still appear even without 'quiet'. Option C is wrong because GRUB_TIMEOUT=0 only sets the boot menu timeout to zero, skipping the menu, and has no effect on the graphical splash screen during boot.

66
MCQeasy

What is the recommended way to configure a Linux host to obtain an IP address automatically via DHCP on the eth0 interface?

A.Set 'BOOTPROTO=dhclient' in /etc/sysconfig/network-scripts/ifcfg-eth0.
B.Edit /etc/dhcp/dhcpd.conf to include the host's MAC address.
C.Use 'networkctl' to set DHCP=yes on eth0.
D.Set 'BOOTPROTO=dhcp' in /etc/sysconfig/network-scripts/ifcfg-eth0.
AnswerD

Standard for network-scripts.

Why this answer

Option D is correct because on Red Hat-based Linux distributions, the recommended way to configure an interface for DHCP is to set 'BOOTPROTO=dhcp' in the interface configuration file /etc/sysconfig/network-scripts/ifcfg-eth0. This instructs the network service to use the DHCP protocol to obtain an IP address automatically from a DHCP server. The value 'dhcp' is the standard keyword recognized by the ifcfg scripts, not 'dhclient'.

Exam trap

The trap here is that candidates confuse the DHCP client configuration keyword 'dhcp' with the client program name 'dhclient', or mistakenly think that editing the DHCP server configuration file is the correct way to configure a client to obtain an IP automatically.

How to eliminate wrong answers

Option A is wrong because 'BOOTPROTO=dhclient' is not a valid value; the correct keyword is 'dhcp', and the DHCP client (dhclient) is invoked automatically by the network scripts when BOOTPROTO=dhcp is set. Option B is wrong because /etc/dhcp/dhcpd.conf is the configuration file for the DHCP server (dhcpd), not the client; editing it to include the host's MAC address would configure the server to assign a static lease, not configure the host to obtain an IP automatically. Option C is wrong because 'networkctl' is a tool used with systemd-networkd, not with the traditional ifcfg-based network configuration used by Red Hat/CentOS; while systemd-networkd can be used, the question asks for the recommended way on a standard Linux host, and the ifcfg method is the traditional and widely supported approach for this distribution family.

67
MCQhard

Based on the exhibit, which command would change the DNS server to 1.1.1.1 for the connection MyConnection?

A.nmcli con mod MyConnection IP4.DNS 1.1.1.1
B.nmcli con mod MyConnection ipv4.dns 1.1.1.1
C.nmcli dev mod eth0 ipv4.dns 1.1.1.1
D.nmcli con mod MyConnection +ipv4.dns 1.1.1.1
AnswerB

This is the correct nmcli command to modify the DNS setting for the connection.

Why this answer

Option B is correct because the `nmcli con mod` command modifies an existing connection profile, and the `ipv4.dns` property sets the DNS server for IPv4. The property name is case-sensitive and must be lowercase `ipv4.dns` as per NetworkManager's D-Bus API. This command replaces any existing DNS servers with the specified value.

Exam trap

The trap here is that candidates confuse the case-sensitive property name (`ipv4.dns` vs `IP4.DNS`) or mistake the `+` prefix for setting rather than appending, leading them to choose options that either use incorrect syntax or do not achieve the intended replacement.

How to eliminate wrong answers

Option A is wrong because `IP4.DNS` uses incorrect casing; NetworkManager property names are case-sensitive and must be lowercase (`ipv4.dns`). Option C is wrong because `nmcli dev mod` modifies device settings, not connection profiles, and DNS is a per-connection property, not a device property. Option D is wrong because the `+` prefix appends the DNS server to the existing list rather than replacing it, which would not change the DNS server to only 1.1.1.1 if other servers are already configured.

68
MCQmedium

A DHCP server running on a Linux machine is not leasing IP addresses to clients on a particular VLAN. The server's configuration file includes a subnet declaration for that VLAN, but clients receive only link-local addresses. What is the most likely issue?

A.The DHCP server is not running.
B.The DHCP relay agent is not forwarding requests to the server.
C.The DHCP server's interface is not in the same broadcast domain.
D.The subnet mask in the DHCP configuration is incorrect.
AnswerC

DHCP uses broadcast, so the server must be on the same L2 segment or a relay must be present to forward requests.

Why this answer

Option C is correct because the DHCP server's interface must be in the same broadcast domain (i.e., the same VLAN) as the clients to receive their DHCPDISCOVER broadcasts directly. If the server is on a different subnet or VLAN without a DHCP relay agent, the broadcast frames never reach the server, so clients receive no DHCPOFFER and fall back to link-local addresses (APIPA).

Exam trap

The trap here is that candidates often assume a DHCP relay agent is always required for cross-subnet operation, but the question's phrasing about a 'particular VLAN' and 'link-local addresses' points to the fundamental broadcast domain boundary, not a relay failure.

How to eliminate wrong answers

Option A is wrong because if the DHCP server were not running, the server would not respond to any DHCP requests, but the question states the server's configuration includes a subnet declaration for that VLAN, implying it is operational; moreover, clients would still not get leases even if the server were running but isolated from the VLAN. Option B is wrong because a DHCP relay agent is only needed when the server is on a different subnet; the question does not indicate a relay agent is configured or that the server is on a different subnet—the core issue is that the server's interface is not in the same broadcast domain, not that forwarding is failing. Option D is wrong because an incorrect subnet mask in the DHCP configuration would cause clients to receive an IP address but with an invalid subnet, not prevent them from receiving any lease at all; clients would still get a DHCPOFFER and DHCPACK, but the assigned address might be unreachable.

69
MCQhard

During kernel development, a developer modifies only a few source files in a module directory. Which make target should be used to rebuild only that module without compiling the entire kernel?

A.make oldconfig && make
B.make M=./drivers/net
C.make modules
D.make modules_install
AnswerB

The M parameter specifies the directory of the module to compile, useful for external modules or partial rebuilds.

Why this answer

Option B is correct because the `M=./drivers/net` argument tells the kernel build system to build only the module(s) in the specified directory as external modules, without recompiling the entire kernel tree. This is the standard way to rebuild a single kernel module after modifying its source files, leveraging the already configured kernel build environment.

Exam trap

The trap here is that candidates confuse `make modules` (which builds all modules) with the `M=` syntax (which targets a specific module directory), leading them to choose option C instead of B.

How to eliminate wrong answers

Option A is wrong because `make oldconfig && make` would first update the kernel configuration (which is unnecessary if only source files changed) and then rebuild the entire kernel, not just the modified module. Option C is wrong because `make modules` compiles all kernel modules that are enabled in the configuration, not a single module directory. Option D is wrong because `make modules_install` only installs already-built modules into the filesystem (e.g., /lib/modules) and does not perform any compilation.

70
MCQmedium

A system administrator has multiple kernel modules that depend on each other. Module A must be loaded before module B. How can this dependency be ensured automatically when using modprobe?

A.Use depmod to generate dependency information
B.Use insmod to load module A first, then module B in a startup script
C.Add options module_a softdep=module_b to /etc/modprobe.d/
D.Add module B to the /etc/modules file
AnswerC

The softdep option in modprobe.conf allows specifying pre- and post-dependencies, ensuring module A is loaded before module B.

Why this answer

Option C is correct because the `softdep` directive in a modprobe configuration file (e.g., `/etc/modprobe.d/*.conf`) allows you to declare a soft dependency where one module should be loaded before another, without creating a hard dependency in the module symbol table. When `modprobe` processes this directive, it ensures that module A is loaded before module B automatically, even if there is no explicit symbol dependency between them.

Exam trap

The trap here is that candidates often confuse `depmod` (which resolves symbol-based dependencies) with `softdep` (which resolves ordering dependencies without symbol links), leading them to incorrectly choose Option A as the automatic solution.

How to eliminate wrong answers

Option A is wrong because `depmod` generates the `modules.dep` file based on symbol dependencies (e.g., exported symbols used by other modules), not arbitrary ordering requirements like 'A must load before B' when no symbol dependency exists. Option B is wrong because using `insmod` in a startup script is a manual, non-automated approach that bypasses `modprobe`'s dependency resolution and does not leverage the system's module dependency framework. Option D is wrong because `/etc/modules` (or `/etc/modules-load.d/`) is used to specify modules to be loaded at boot time, but it does not enforce load ordering between modules; it simply lists modules to load, and the kernel may load them in an unspecified order.

71
Multi-Selecthard

Which TWO of the following are valid methods to join a Samba server to an Active Directory domain using Samba 4?

Select 2 answers
A.`smbpasswd -j`
B.`winbindd -j`
C.`net ads join`
D.`samba-tool domain join`
E.`net rpc join`
AnswersC, D

The net ads command is used for AD joins.

Why this answer

Option C is correct because `net ads join` is the traditional Samba tool for joining an Active Directory domain using the LDAP and Kerberos protocols over TCP/IP, which is the standard method for Samba 3 and later versions. Option D is correct because `samba-tool domain join` is the native Samba 4 command that directly integrates with the built-in AD domain controller functionality, allowing a Samba server to join an existing AD domain as a member server.

Exam trap

The trap here is that candidates often confuse legacy NT4-style join commands (`net rpc join`) with modern AD join methods, or incorrectly assume that `smbpasswd` or `winbindd` have built-in join capabilities, when in fact only `net ads join` and `samba-tool domain join` are valid for Samba 4 AD joins.

72
MCQhard

An administrator wants to limit the size of the kernel ring buffer to prevent memory overflow. Which kernel boot parameter should be used?

A.log_buf_len
B.log_size
C.kernel.log.size
D.dmesg_size
AnswerA

log_buf_len sets the kernel log buffer size (e.g., log_buf_len=4M).

Why this answer

Option A is correct because `log_buf_len` is the kernel boot parameter that explicitly sets the size of the kernel ring buffer (dmesg buffer). By specifying a value (e.g., `log_buf_len=4M`), the administrator can increase or limit the buffer size to prevent memory overflow when a large volume of kernel messages is generated.

Exam trap

The trap here is that candidates may confuse kernel boot parameters with sysctl or configuration file settings, leading them to pick plausible-sounding but nonexistent options like `log_size` or `dmesg_size` instead of the correct `log_buf_len`.

How to eliminate wrong answers

Option B (`log_size`) is wrong because no such kernel boot parameter exists; it is a fictional name that might be confused with the `log_buf_len` parameter. Option C (`kernel.log.size`) is wrong because it resembles a sysctl or kernel configuration parameter, not a boot-time kernel command-line parameter; the kernel ring buffer size is controlled only via `log_buf_len` at boot. Option D (`dmesg_size`) is wrong because it is not a valid kernel boot parameter; `dmesg` is a user-space command to read the ring buffer, and its size is not set via a boot parameter named `dmesg_size`.

73
MCQhard

A company runs an NTP server that should only synchronize with trusted upstream servers and provide time to internal clients. Which restrict clause in ntp.conf would best secure the server against unauthorized queries?

A.restrict default ignore
B.restrict default kod nomodify notrap nopeer noquery
C.restrict 192.168.0.0 mask 255.255.0.0 nomodify notrap
D.restrict 127.0.0.1
AnswerC

Allows time synchronization from the subnet while blocking modifications.

Why this answer

Option C is correct because it uses a restricted subnet mask (192.168.0.0/16) to allow only internal clients to query the NTP server, while blocking unauthorized external queries. The `nomodify` and `notrap` flags prevent clients from altering the server's configuration or sending control message traps, which aligns with the requirement to secure the server against unauthorized queries. This approach ensures that only trusted internal hosts can synchronize time without exposing the server to external threats.

Exam trap

The trap here is that candidates often choose option B because it includes many security flags, but they overlook that `restrict default` applies to all hosts not explicitly allowed, which would block the required upstream synchronization unless additional `restrict` lines are added for trusted servers.

How to eliminate wrong answers

Option A is wrong because `restrict default ignore` completely blocks all NTP traffic from any host not explicitly allowed, which would prevent even trusted upstream servers from synchronizing with this server, breaking the requirement that the server should synchronize with trusted upstream servers. Option B is wrong because `restrict default kod nomodify notrap nopeer noquery` applies a default deny-all policy with additional restrictions, but it still blocks all default traffic, including necessary queries from trusted upstream servers, and the `kod` (Kiss-o'-Death) packet can be used in denial-of-service attacks. Option D is wrong because `restrict 127.0.0.1` only allows the localhost to access the NTP server, which would block all internal clients and upstream servers, making the server completely isolated and unable to provide time to internal clients or synchronize with upstream servers.

74
MCQmedium

An organization uses a Samba server as a standalone file server. The share 'Projects' is configured with browseable = yes and guest ok = no. Users authenticate with local Samba accounts. A new employee needs access but cannot authenticate. The administrator added the user with 'smbpasswd -a newuser' and set a password. When the user tries to connect, they get 'NT_STATUS_LOGON_FAILURE'. The administrator verifies the username and password are correct. smb.conf includes: security = user, passdb backend = tdbsam. What is the most likely cause?

A.The 'null passwords' parameter is set to 'yes'.
B.The 'map to guest' parameter is set to 'Bad User'.
C.The 'encrypt passwords' parameter is set to 'no'.
D.The user account is not in the system's /etc/passwd.
AnswerD

Samba needs a system account for UID mapping; missing account causes logon failure.

Why this answer

The correct answer is D because Samba with `passdb backend = tdbsam` stores user credentials in its own TDB database, but it still requires the user to exist as a local system account in `/etc/passwd` (or equivalent) for authentication to succeed. The `smbpasswd -a` command only adds the user to the Samba password database; if the user is not present in `/etc/passwd`, the authentication attempt fails with `NT_STATUS_LOGON_FAILURE` because Samba cannot map the session to a valid Unix UID.

Exam trap

The trap here is that candidates assume `smbpasswd -a` alone creates a fully functional Samba user, but it only updates the password backend; the underlying Unix account must exist in `/etc/passwd` for authentication to proceed.

How to eliminate wrong answers

Option A is wrong because `null passwords = yes` would allow blank passwords, which is irrelevant to a user who has a non‑blank password set via `smbpasswd`. Option B is wrong because `map to guest = Bad User` would map failed authentication attempts to the guest account, but the share has `guest ok = no`, so guest access is denied; moreover, the error is `NT_STATUS_LOGON_FAILURE`, not a guest mapping. Option C is wrong because `encrypt passwords = no` would disable NTLM password hashing, but modern Samba (with `security = user` and `tdbsam`) defaults to encrypted passwords, and setting it to `no` would cause a different error (e.g., `NT_STATUS_ACCESS_DENIED`), not a logon failure.

75
MCQmedium

A developer frequently needs to access a remote database server that is only accessible via SSH from a jump host. To simplify access, the administrator wants to create a local port forward so that the developer can connect to localhost:3306 and reach the remote database's MySQL port 3306. Which SSH command achieves this?

A.ssh -J user@jump.example.com -L 3306:localhost:3306 db.internal
B.ssh -L 3306:db.internal:3306 user@jump.example.com
C.ssh -L localhost:3306:db.internal:3306 user@jump.example.com
D.ssh -R 3306:localhost:3306 user@jump.example.com
E.ssh -L 3306:localhost:3306 user@jump.example.com
AnswerB, E

Forwards local port 3306 to db.internal:3306 via jump host.

Why this answer

Option B is correct because the `-L` flag creates a local port forward, mapping a local port (3306) to a remote destination (db.internal:3306) via the SSH connection to the jump host (user@jump.example.com). The syntax `-L 3306:db.internal:3306` tells SSH to listen on localhost:3306 and forward all traffic through the jump host to db.internal:3306, which is reachable from the jump host. This allows the developer to connect to localhost:3306 and reach the remote MySQL database.

Exam trap

The trap here is confusing local port forwarding (`-L`) with remote port forwarding (`-R`) or misinterpreting the destination address as being resolved from the client's network instead of the SSH server's network.

How to eliminate wrong answers

Option A is wrong because the `-J` flag specifies a jump host for a multi-hop SSH connection, but the syntax `-L 3306:localhost:3306` incorrectly binds the local port to the jump host's localhost, not the target database server. Option C is wrong because it explicitly binds to localhost:3306 on the client side, but the syntax `-L localhost:3306:db.internal:3306` is functionally identical to option B and is also correct; however, the question marks both B and C as correct, but the intended correct answer is B as it matches the standard SSH syntax without the redundant `localhost:` prefix. Option D is wrong because `-R` creates a remote port forward (listening on the remote side), not a local port forward, which would allow connections to the jump host's port 3306 to reach the client's localhost:3306, opposite of what is needed.

Option E is wrong because `-L 3306:localhost:3306` forwards local port 3306 to the jump host's localhost:3306, not to the remote database server db.internal.

Page 1 of 7

Page 2

All pages