Linux Professional Institute Certification Level 2 LPIC-2 (LPIC-2) — Questions 76150

511 questions total · 7pages · All types, answers revealed

Page 1

Page 2 of 7

Page 3
76
MCQmedium

A Postfix mail server is configured to use Dovecot SASL for authentication. Users report that they can send emails but are prompted for password repeatedly and see "SASL authentication failed" in the logs. The Dovecot SASL socket is configured correctly. What is the most likely cause?

A.The mynetworks parameter in Postfix is set to the wrong subnet.
B.The postfix user does not have permission to access the Dovecot auth socket.
C.The Dovecot auth mechanism is set to 'login' but Postfix expects 'PLAIN'.
D.The smtpd_sasl_auth_enable parameter is set to no.
AnswerB

Permission issues prevent SASL communication, causing authentication failures.

Why this answer

The correct answer is B because the most common cause of repeated password prompts and 'SASL authentication failed' errors when Postfix is configured to use Dovecot SASL is a permissions issue on the Dovecot auth socket. Even if the socket path is correct in Postfix's `smtpd_sasl_path`, the Postfix process (typically running as the `postfix` user) must have read/write access to that socket file. Without proper permissions, Postfix cannot communicate with Dovecot's authentication service, causing SASL failures despite correct authentication mechanisms and enabled settings.

Exam trap

The trap here is that candidates often focus on authentication mechanism mismatches or network-level settings, overlooking the fundamental Unix permission issue on the SASL socket, which is a classic gotcha in Postfix-Dovecot integration.

How to eliminate wrong answers

Option A is wrong because `mynetworks` controls which clients can relay mail without authentication (i.e., trusted subnets), not SASL authentication failures; a misconfigured `mynetworks` would allow relaying without auth or block it, but would not cause repeated password prompts with SASL errors. Option C is wrong because Dovecot's default auth mechanism is 'PLAIN' and Postfix typically expects 'PLAIN' or 'LOGIN'; if the mechanism were mismatched, the error would be about unsupported mechanism, not a generic 'SASL authentication failed' with repeated prompts. Option D is wrong because if `smtpd_sasl_auth_enable` were set to 'no', Postfix would not offer SASL authentication at all, and users would not be prompted for passwords; the fact that they are prompted indicates this parameter is enabled.

77
MCQmedium

After adding a new LUN to an existing SAN, the administrator runs multipath -ll but sees the new LUN as 'failed'. The multipathd service is running. What is the most likely cause?

A.The multipathd daemon needs to be restarted
B.The new LUN has not been presented to the host from the SAN
C.The /etc/multipath.conf needs to be edited to include the new LUN
D.The scsi device needs to be manually created with mknod
AnswerB

If the LUN is not presented, the host cannot see it, causing all paths to show 'failed'.

Why this answer

When a new LUN appears as 'failed' in `multipath -ll` output, the most common cause is that the LUN has not been properly presented to the host from the SAN. Even if the multipathd service is running, multipathd can only manage devices that the SCSI layer has already discovered. If the SAN administrator has not zoned or masked the LUN to the host, the host's SCSI subsystem never sees the device, so multipathd reports it as 'failed' because it cannot find the underlying paths.

Exam trap

LPI often tests the misconception that multipathd needs a restart or configuration change for new LUNs, but the real issue is almost always the SCSI layer not having discovered the device due to incomplete SAN presentation or missing bus rescan.

How to eliminate wrong answers

Option A is wrong because restarting multipathd is unnecessary; multipathd automatically detects new devices via uevents, and a restart would not fix a missing SCSI device. Option C is wrong because /etc/multipath.conf does not need editing for a new LUN unless you require custom aliases or blacklisting; multipathd can manage any LUN discovered by the SCSI layer by default. Option D is wrong because modern Linux kernels automatically create SCSI device nodes via udev; manually using mknod is obsolete and would not resolve a missing LUN presentation.

78
MCQhard

A host on 192.168.2.100 tries to SSH to the firewall's IP address (192.168.1.1). The firewall's input chain policy is drop. Will the SSH connection be allowed?

A.No, because the input chain drops all packets that don't match rules.
B.No, because SSH to firewall is considered forwarded traffic.
C.Yes, because the forward chain accepts SSH.
D.Yes, because there is a rule accepting SSH from 192.168.2.0/24.
AnswerD

The rule explicitly allows SSH from that subnet.

Why this answer

Option D is correct because the firewall's input chain policy is set to drop, but a specific rule exists that accepts SSH traffic from the 192.168.2.0/24 subnet. Since the source IP 192.168.2.100 falls within that subnet, the SSH connection to the firewall's own IP (192.168.1.1) is allowed by that rule before the default drop policy is applied. The input chain processes traffic destined for the firewall itself, so the rule directly permits this inbound SSH session.

Exam trap

The trap here is that candidates confuse the input chain (for traffic to the firewall) with the forward chain (for traffic through the firewall), and incorrectly assume that a drop policy on the input chain blocks all traffic regardless of existing rules, ignoring rule precedence over the default policy.

How to eliminate wrong answers

Option A is wrong because while the input chain policy is drop, a specific rule accepting SSH from 192.168.2.0/24 overrides the default policy for matching packets; the drop policy only applies to packets that do not match any rule. Option B is wrong because SSH to the firewall's own IP address is traffic destined for the firewall itself, not forwarded traffic; forwarded traffic would be destined for another host behind the firewall, which is handled by the forward chain. Option C is wrong because the forward chain handles traffic passing through the firewall (not destined for it), and even if it accepted SSH, it would not apply to traffic targeting the firewall's own IP; the input chain must permit the connection.

79
MCQhard

A storage administrator sees the following output from multipath -ll: 'dm-3 (3600605b0038f1f0019f1f7e00000000) size=10G features='0' hwhandler='0' wp=rw' but the paths are all 'failed'. The scsi devices are listed in /proc/scsi/scsi. What is the most likely cause?

A.The device mapper is not configured
B.The multipathd daemon is not running
C.The SAN fiber cables are disconnected
D.The multipath configuration uses user_friendly_names but the bindings file is missing
AnswerC

If cables are disconnected, paths show 'failed' even though the scsi devices are detected.

Why this answer

The output from multipath -ll shows the multipath device dm-3 with its WWID and size, but all paths are 'failed'. Since /proc/scsi/scsi lists the SCSI devices, the host bus adapters (HBAs) and drivers are functioning at the OS level. The most common cause for all paths to fail simultaneously is a physical connectivity issue, such as disconnected SAN fiber cables, which prevents the initiator from reaching the target LUNs.

Exam trap

The trap here is that candidates see 'failed' paths and assume a software configuration issue (like multipathd not running or missing bindings), but the presence of the multipath device and SCSI devices in /proc/scsi/scsi points to a physical layer problem instead.

How to eliminate wrong answers

Option A is wrong because the device mapper is clearly configured and active, as evidenced by the multipath device dm-3 being listed in the output. Option B is wrong because if the multipathd daemon were not running, the multipath -ll command would not produce any output or would show an error; the fact that it returns device details indicates the daemon is operational. Option D is wrong because user_friendly_names and the bindings file affect only the naming of multipath devices (e.g., mpatha), not the path status; the output shows the WWID, so this feature is not in use or irrelevant to path failures.

80
MCQmedium

A user reports that the command 'smbclient -L //fileserver' fails with a timeout. What is the most likely cause?

A.The smbd service on the server is not running.
B.The user does not have an account on the server.
C.The server is not reachable via ping.
D.A firewall on the client or server is blocking TCP port 445.
AnswerD

Port 445 is used by SMB; blocking it causes timeouts.

Why this answer

The command 'smbclient -L //fileserver' uses SMB protocol to list shares. A timeout indicates the client cannot establish a TCP connection to the server on port 445, which is the default SMB port. A firewall blocking TCP 445 would prevent the connection, causing a timeout, while other issues like a stopped smbd service or unreachable server would typically produce different errors (e.g., 'connection refused' or 'no route to host').

Exam trap

The trap here is that candidates confuse a timeout (no response) with a connection refusal (immediate failure), leading them to incorrectly choose a stopped service or unreachable server when the real issue is a firewall silently dropping packets.

How to eliminate wrong answers

Option A is wrong because if the smbd service is not running, the server would actively refuse the connection (TCP RST), resulting in an immediate 'connection refused' error, not a timeout. Option B is wrong because authentication is not required for the '-L' option to list shares; it only affects the ability to access specific shares, not the initial connection. Option C is wrong because if the server is not reachable via ping, the client would likely receive an 'ICMP unreachable' or 'no route to host' error, not a timeout; a timeout specifically suggests the server is reachable but not responding on the SMB port.

81
MCQmedium

An administrator wants to ensure that a Linux client sends all DNS queries to a specific DNS server without relying on DHCP-provided DNS servers. Which configuration files should be modified?

A.Configure NetworkManager to ignore DNS from DHCP and set the DNS manually in the connection profile
B.Edit /etc/dhcp/dhclient.conf to add 'supersede domain-name-servers <desired IP>;'
C.Edit /etc/sysconfig/network-scripts/ifcfg-eth0 and set PEERDNS=no and DNS1=<desired IP>
D.Edit /etc/resolv.conf and set the nameserver to the desired IP
AnswerB

This overrides DHCP-provided DNS servers and ensures the client uses the specified DNS.

Why this answer

Option B is correct because the dhclient.conf file allows an administrator to override DHCP-provided DNS servers using the 'supersede' directive. This forces the DHCP client to ignore the DNS servers received from the DHCP server and instead use the manually specified DNS server when writing /etc/resolv.conf. This is a standard method for controlling DNS resolution on systems using dhclient.

Exam trap

The trap here is that candidates often assume editing /etc/resolv.conf directly is sufficient, but they fail to recognize that DHCP clients or network management tools will overwrite it, making the change non-persistent unless the DHCP client is explicitly configured to ignore or supersede the provided DNS servers.

How to eliminate wrong answers

Option A is wrong because NetworkManager is not the only network management service; many Linux systems use dhclient directly, and the question does not specify NetworkManager. Option C is wrong because /etc/sysconfig/network-scripts/ifcfg-eth0 is specific to Red Hat-based systems using legacy network scripts, not a universal solution, and setting PEERDNS=no only prevents DHCP from overwriting resolv.conf but does not directly force the DNS server into resolv.conf without additional configuration. Option D is wrong because /etc/resolv.conf is dynamically overwritten by DHCP clients (like dhclient) or resolvers, so editing it directly is not persistent and will be reverted on network restart or DHCP renewal.

82
MCQmedium

A Samba server is configured with 'security = ads' and joined to an Active Directory domain. Users report that SIDs are not being resolved correctly. Which service and configuration file are critical for ID mapping?

A.smbd and /etc/samba/smb.conf
B.winbind and /etc/security/pam_winbind.conf
C.nmbd and /etc/samba/smb.conf
D.winbind and /etc/samba/smb.conf
AnswerD

Correct; Winbind provides ID mapping and uses smb.conf for settings.

Why this answer

When Samba is configured with 'security = ads' and joined to an Active Directory domain, the winbind service is responsible for resolving Windows SIDs to Unix UIDs/GIDs and vice versa. The critical configuration for ID mapping is defined in the 'idmap config' directives within /etc/samba/smb.conf, making winbind and smb.conf the correct pair. Without winbind running and proper idmap configuration, SID resolution will fail.

Exam trap

The trap here is that candidates confuse winbind's role in authentication (PAM) with its role in ID mapping, leading them to choose /etc/security/pam_winbind.conf instead of /etc/samba/smb.conf for the critical configuration file.

How to eliminate wrong answers

Option A is wrong because smbd handles file sharing and authentication, not SID-to-UID/GID resolution; ID mapping is managed by winbind. Option B is wrong because /etc/security/pam_winbind.conf configures PAM integration for authentication, not the ID mapping backend; the core ID mapping configuration resides in /etc/samba/smb.conf. Option C is wrong because nmbd handles NetBIOS name resolution and browsing, not ID mapping or SID resolution; winbind is the required service.

83
MCQhard

A system administrator compiled a custom kernel module for a new hardware device. After copying the .ko file to /lib/modules/$(uname -r)/, the module is not loading automatically at boot. What is the most likely cause?

A.The module needs to be added to /etc/modules.
B.The module has a dependency error.
C.The kernel version does not match the module.
D.The module is blacklisted in /etc/modprobe.d/.
AnswerD

Blacklisted modules are prevented from loading even if installed correctly.

Why this answer

Option D is correct because a blacklist entry in /etc/modprobe.d/ explicitly prevents the kernel from loading the module at boot, regardless of its presence in /lib/modules/$(uname -r)/. The modprobe system reads these configuration files during early boot and skips any module listed with a 'blacklist' directive, which is the most likely cause when a module is present but fails to load automatically.

Exam trap

The trap here is that candidates often assume a module must be explicitly added to a configuration file to load at boot, overlooking that blacklisting is a silent override that prevents automatic loading without any error message.

How to eliminate wrong answers

Option A is wrong because /etc/modules (or /etc/modules-load.d/*.conf) is used to specify modules to load at boot on some distributions, but the module is already present in the correct directory and should load automatically if not blacklisted; adding it there is not the most likely cause. Option B is wrong because a dependency error would typically produce an error message during modprobe or boot, and the module would still be attempted; the question states it is 'not loading automatically at boot' without mentioning errors, making blacklisting more plausible. Option C is wrong because the administrator copied the .ko file to /lib/modules/$(uname -r)/, which matches the running kernel version, so a version mismatch is unlikely.

84
Multi-Selecthard

Which TWO iptables commands are necessary to allow incoming SSH connections (port 22) from the subnet 192.168.1.0/24 while dropping all other incoming traffic? Assume the INPUT chain has a default policy of DROP. (Choose two.)

Select 2 answers
A.iptables -A INPUT -s 192.168.1.0/24 -p tcp --dport 22 -j DROP
B.iptables -A INPUT -j DROP
C.iptables -A INPUT -s 192.168.1.0/24 -p tcp --dport 22 -j ACCEPT
D.iptables -A INPUT -j ACCEPT
E.iptables -A INPUT -s 192.168.1.0/24 -j ACCEPT
AnswersB, C

This drops all remaining incoming traffic not matched by earlier rules.

Why this answer

Options A and D are correct. Option A adds a rule to accept SSH from the subnet. Option D adds a rule to drop all other (or it might be unnecessary if default policy is DROP, but to be explicit, it's often added).

Option B is wrong because it accepts all traffic from the subnet, not just SSH. Option C is wrong because it drops all traffic from the subnet. Option E is wrong because it accepts all incoming traffic.

85
MCQhard

A financial institution uses a Linux server with a custom application that runs as the 'appuser' and writes logs to /var/log/app/. The security team recently detected that the application is vulnerable to a local privilege escalation via log injection. To mitigate, they decide to implement mandatory access control (MAC) using SELinux. The system is CentOS 7 with SELinux in enforcing mode. The current context of /var/log/app is 'unconfined_u:object_r:var_log_t:s0'. The application should only be allowed to write to logs in that directory, and no other processes should modify them. Which SELinux policy change should be made?

A.Use 'semanage permissive -a app_t' to put the application domain in permissive mode.
B.Create a custom SELinux policy module that defines a new type for the log directory and transitions for the application domain.
C.Run 'chcon -t var_log_t /var/log/app' to set the correct context.
D.Use 'audit2allow' to create a local policy module based on current denials.
AnswerB

A targeted policy ensures least privilege and persistent enforcement.

Why this answer

Option D is correct. Creating a custom policy allows defining rules for the application's domain, restricting it to only the necessary operations. Option A (chcon) is temporary and not persistent across relabeling.

Option B (semanage permissive) would allow the application to break out without restriction, defeating the purpose. Option C (audit2allow) generates allow rules from denials, but the application might still have unwanted access; it's better to craft a targeted policy.

86
Multi-Selecthard

Which THREE configuration directives are necessary to enable Winbind for Active Directory authentication on a Samba domain member?

Select 3 answers
A.security = ads
B.winbind use default domain = yes
C.realm = EXAMPLE.COM
D.workgroup = EXAMPLE
E.idmap config * : range = 10000-20000
AnswersA, C, E

Correct; enables Active Directory domain membership.

Why this answer

Option A is correct because setting 'security = ads' tells Samba to operate as an Active Directory domain member, using Kerberos for authentication and LDAP for identity lookups. This directive is mandatory for Winbind to communicate with an AD domain controller.

Exam trap

The trap here is that candidates often confuse 'workgroup' with 'realm' or assume 'winbind use default domain = yes' is mandatory, when in fact only 'security = ads', 'realm', and an idmap range are strictly required for basic Winbind AD integration.

87
MCQeasy

A packet destined to 192.168.1.100 is sent from this router. Which interface will be used to forward it?

A.eth0
B.lo
C.eth1
D.The packet will be dropped
AnswerA

The route to 192.168.1.0/24 uses eth0.

Why this answer

The router uses the routing table to determine the next hop for a packet destined to 192.168.1.100. Assuming a directly connected subnet (e.g., 192.168.1.0/24) is associated with eth0, the kernel will match the longest prefix and forward the packet out of eth0. This is standard IP forwarding behavior governed by the routing table (e.g., 'ip route show').

Exam trap

The trap here is that candidates often assume the router will use the interface with the same IP subnet as the destination, but they forget to verify that the routing table actually contains a directly connected route for that subnet; without a matching route, the packet would be dropped or forwarded via a default route.

How to eliminate wrong answers

Option B is wrong because the loopback interface (lo) is used only for traffic destined to the router itself (127.0.0.0/8), not for forwarding packets to remote hosts. Option C is wrong because eth1 would only be used if the routing table had a route pointing to 192.168.1.0/24 via eth1; without such a route, the interface is irrelevant. Option D is wrong because the packet will not be dropped if a valid route exists; dropping occurs only when no route matches (e.g., 'unreachable' or 'blackhole' route), which is not indicated here.

88
Multi-Selectmedium

Which TWO of the following are common symptoms of a misconfigured winbind service when Samba is joined to an Active Directory domain?

Select 2 answers
A.`net ads join` fails with 'access denied'.
B.Domain users cannot authenticate via SSH.
C.`getent passwd` does not list domain users.
D.`wbinfo -u` returns a list of domain users but `getent passwd` does not.
AnswersC, D

This indicates winbind NSS module is not working.

Why this answer

When winbind is misconfigured, the Name Service Switch (NSS) module may not be properly set up to query winbind for domain users. This means `getent passwd` will not return domain users even if winbind itself can enumerate them via `wbinfo -u`. The core issue is that NSS is not configured to use the `winbind` source in `/etc/nsswitch.conf`, or the winbind service is not correctly communicating with the NSS subsystem.

Exam trap

The trap here is that candidates assume `wbinfo -u` and `getent passwd` should always return the same results, but they do not realize that `wbinfo` bypasses NSS and directly queries winbind, while `getent` relies on the NSS configuration.

89
Multi-Selecthard

Which THREE statements about PAM configuration are correct? (Select three.)

Select 3 answers
A.The control flag 'required' means the module must succeed; if it fails, authentication fails immediately.
B.The module type 'auth' is used for account management.
C.The order of modules in a stack affects the outcome.
D.The control flag 'requisite' means the module must succeed, and if it fails, no further modules are called.
E.The control flag 'sufficient' means that if the module succeeds, authentication succeeds immediately.
AnswersC, D, E

PAM module order is significant.

Why this answer

Option C is correct because PAM (Pluggable Authentication Modules) processes modules in a defined order within a stack, and the control flags (required, requisite, sufficient, optional) determine how the success or failure of each module affects the overall authentication result. The order matters because a 'sufficient' module that succeeds can cause authentication to succeed immediately, bypassing later modules, while a 'required' module that fails can cause authentication to fail after all modules in the stack have been evaluated.

Exam trap

The trap here is that candidates often confuse 'required' with 'requisite', mistakenly thinking that 'required' causes immediate failure, when in fact 'required' allows the stack to continue processing, while 'requisite' is the flag that immediately aborts on failure.

90
Multi-Selecteasy

Which TWO of the following tools are used to capture and analyze network packets on a Linux system?

Select 2 answers
A.tcpdump
B.wireshark (tshark)
C.iptables
D.netstat
E.nmap
AnswersA, B

tcpdump is a command-line packet capture tool.

Why this answer

tcpdump is a command-line packet analyzer that captures raw network packets from the wire by placing the network interface into promiscuous mode and using libpcap to read packets. It allows filtering based on protocols, ports, and hosts using BPF (Berkeley Packet Filter) syntax, making it a fundamental tool for network troubleshooting and security analysis.

Exam trap

The trap here is that candidates often confuse tools that manipulate packets (like iptables) or scan networks (like nmap) with tools that passively capture and decode packet contents, leading them to select iptables or nmap instead of recognizing that only tcpdump and tshark perform raw packet capture and analysis.

91
MCQeasy

Which of the following is the correct command to add an IPv6 address 2001:db8::1/64 to interface eth0?

A.ip -6 addr add 2001:db8::1/64 dev eth0
B.ip addr add 2001:db8::1/64 dev eth0
C.ip -6 addr add 2001:db8::1 dev eth0
D.ip link set eth0 ipv6 2001:db8::1/64
E.ifconfig eth0 inet6 add 2001:db8::1/64
AnswerA

Correct syntax with -6 flag and prefix length.

Why this answer

Option A is correct because the `ip -6 addr add` command is the proper way to add an IPv6 address to an interface using the `ip` tool from the iproute2 suite. The `-6` option restricts the operation to IPv6, and the address must include the prefix length (`/64`) to define the subnet. The `dev eth0` parameter specifies the target interface.

Exam trap

The trap here is that candidates often forget the `-6` flag or the prefix length, assuming the `ip` command can infer IPv6 context automatically, or they mistakenly use deprecated `ifconfig` syntax from older Linux distributions.

How to eliminate wrong answers

Option B is wrong because omitting the `-6` flag makes the command ambiguous; while `ip addr add` can handle IPv6 addresses, the `-6` flag is required for explicit IPv6 context in some implementations and is considered best practice. Option C is wrong because it omits the prefix length (`/64`), which is mandatory for IPv6 address configuration to define the subnet mask. Option D is wrong because `ip link set` does not accept an `ipv6` parameter; it is used for link-level properties like MTU or state, not for assigning addresses.

Option E is wrong because `ifconfig` is deprecated and its syntax `ifconfig eth0 inet6 add 2001:db8::1/64` is not valid; the correct `ifconfig` syntax would be `ifconfig eth0 inet6 add 2001:db8::1/64` (note the order), but even then, `ifconfig` is obsolete in favor of `ip`.

92
Multi-Selectmedium

A system fails to boot due to a corrupted initramfs. Which TWO methods can be used to recover? (Choose two.)

Select 2 answers
A.Edit GRUB command line to add 'init=/bin/bash' and then rebuild initramfs from that shell
B.Reinstall the kernel package from the GRUB command line using a network boot
C.Use kexec to boot a different kernel
D.Use the rescue mode of the installation media (e.g., RHEL rescue, Ubuntu recovery)
E.Boot with a live CD, chroot to the system, and rebuild initramfs
AnswersD, E

Rescue mode provides a minimal environment to repair the system.

Why this answer

Option D is correct because booting from installation media (e.g., RHEL rescue or Ubuntu recovery) provides a minimal environment that can mount the root filesystem, chroot into it, and then rebuild the initramfs using the system's own kernel and modules. This method does not require a working initramfs on the disk, as the rescue environment supplies its own kernel and initial RAM disk.

Exam trap

The trap here is that candidates often think 'init=/bin/bash' is a universal recovery method, but it fails to provide a functional environment for rebuilding initramfs because the root filesystem is not fully mounted and critical tools are missing.

93
MCQmedium

A Samba share is configured with 'valid users = @staff' but users in the staff group still get 'NT_STATUS_ACCESS_DENIED' when accessing the share. The server uses 'security = user'. Which additional configuration is required?

A.Set 'guest ok = yes'
B.Set 'force group = staff'
C.Run smbpasswd -a for each user
D.Add the share to [global]
AnswerC

Samba passwords are separate from system passwords.

Why this answer

With 'security = user', Samba requires each user to have a separate Samba password stored in the smbpasswd file (or another passdb backend). Even if a user is a member of the 'staff' group and exists in the system's /etc/passwd, they cannot authenticate to the share without an smbpasswd entry. Running 'smbpasswd -a' for each user creates that entry, resolving the NT_STATUS_ACCESS_DENIED error.

Exam trap

The trap here is that candidates assume group membership alone grants access, overlooking that Samba's user-level security requires a separate password database entry for each authenticated user.

How to eliminate wrong answers

Option A is wrong because 'guest ok = yes' allows anonymous access, which bypasses authentication entirely and does not address the requirement for valid users to authenticate with their own credentials. Option B is wrong because 'force group = staff' only changes the effective group for file operations after authentication; it does not fix the missing Samba password database entry that prevents authentication. Option D is wrong because adding the share to the [global] section is syntactically invalid—shares must be defined in their own stanzas, and this does not affect user authentication.

94
MCQhard

Based on the sshd configuration, user 'charlie' attempts to log in using public key authentication. What will happen?

A.Login is denied because the DenyUsers directive explicitly blocks charlie.
B.Login is allowed because PasswordAuthentication is disabled, but public key authentication is enabled.
C.Login is allowed because AllowUsers includes other users but does not deny charlie.
D.Login is denied because charlie's IP address is not in the allowed list.
AnswerA

DenyUsers blocks charlie regardless of authentication.

Why this answer

The DenyUsers directive in sshd_config explicitly blocks the user 'charlie' from logging in, regardless of the authentication method. Since DenyUsers takes precedence over AllowUsers and other authentication settings, public key authentication will still be denied for charlie. The correct answer is A because the directive explicitly denies charlie, overriding any other configuration.

Exam trap

The trap here is that candidates often assume that enabling public key authentication automatically allows login, ignoring the explicit DenyUsers directive that takes precedence over authentication methods.

How to eliminate wrong answers

Option B is wrong because while PasswordAuthentication is disabled and public key authentication is enabled, the DenyUsers directive explicitly blocks charlie, so login is denied regardless of the authentication method. Option C is wrong because AllowUsers includes other users but does not deny charlie; however, DenyUsers explicitly blocks charlie, and DenyUsers takes precedence over AllowUsers. Option D is wrong because there is no IP-based restriction mentioned in the question; the denial is due to the DenyUsers directive, not an IP address list.

95
Multi-Selecthard

Which THREE directives are essential for configuring an OpenLDAP client in /etc/ldap/ldap.conf? (Choose three.)

Select 3 answers
A.SIZELIMIT
B.BINDDN
C.BASE
D.TLS_REQCERT
E.URI
AnswersC, D, E

Specifies the default search base.

Why this answer

The BASE directive defines the starting point for LDAP searches (e.g., dc=example,dc=com) and is essential for client configuration to know which subtree to query. Without it, the client cannot determine the search base for directory lookups.

Exam trap

LPI often tests the misconception that BINDDN is a mandatory global setting, when in fact it is an authentication credential that should not be stored in the shared configuration file for security reasons.

96
MCQhard

A company has a fleet of servers running a custom Linux kernel version 5.4. They have developed several in-house kernel modules that interface with proprietary hardware. Due to a security vulnerability, the company decides to upgrade all servers to kernel version 5.10. After upgrading the kernel on a test server, the custom modules fail to load with the error 'Invalid module format' or 'disagrees about version magic'. The system administrator must resolve this issue for all servers. The modules are closed-source and cannot be modified easily. The administrator considers the following options. Question: What is the most effective course of action to load the custom modules on the new kernel?

A.Recompile the custom kernel modules against the new kernel headers and install them.
B.Use modprobe with the --force-vermagic option to bypass the version check.
C.Update the version magic string in the module binary by patching the file.
D.Use systemd-modules-load to load the modules later in the boot process.
AnswerA

Recompiling ensures the modules match the new kernel's version magic and ABI.

Why this answer

Option A is correct because the custom kernel modules were compiled against the version magic string of kernel 5.4. Kernel 5.10 has a different version magic (which includes the kernel version, SMP/preemption settings, and compiler version). Recompiling the modules against the new kernel headers regenerates the correct version magic, allowing the modules to load without error.

Since the modules are closed-source, recompilation is not possible in practice, but the question states the administrator considers options; recompilation is the only technically valid method to resolve the version magic mismatch.

Exam trap

The trap here is that candidates may think modprobe has a --force-vermagic option (Option B) or that patching the binary is straightforward (Option C), but the LPIC-2 exam expects knowledge that only recompilation against the correct kernel headers resolves version magic mismatches, and that force-loading is a temporary, risky workaround.

How to eliminate wrong answers

Option B is wrong because modprobe does not support a --force-vermagic option; the correct modprobe option is --force-modversion or the kernel's module loading can be forced via 'insmod -f', but this bypasses the version magic check entirely, which is insecure and may cause undefined behavior or crashes. Option C is wrong because patching the version magic string in a compiled kernel module binary is extremely fragile, requires deep knowledge of the ELF structure and vermagic section layout, and is not a reliable or maintainable solution for a fleet of servers. Option D is wrong because systemd-modules-load simply loads modules at a later boot stage; it does not alter the version magic check, so the modules will still fail to load with the same error.

97
Multi-Selectmedium

Which THREE commands can be used to display routing information?

Select 3 answers
A.ping -R
B.route -n
C.ip route show
D.traceroute
E.netstat -r
AnswersB, C, E

Legacy command that shows routing table with numeric addresses.

Why this answer

The `route -n` command displays the kernel's IPv4 routing table with numeric addresses, avoiding DNS lookups. It is a standard tool for viewing routing information on Linux systems, making option B correct.

Exam trap

The trap here is that candidates confuse commands that show network path information (like `traceroute` or `ping -R`) with commands that display the local routing table, leading them to select options that do not actually show routing information.

98
MCQhard

An administrator is troubleshooting IPv6 connectivity on a Linux host. The host has an IPv6 address configured on eth0, but cannot ping6 the default gateway. The output of 'ip -6 route show' shows a default route via fe80::1 dev eth0. Which tool should be used to verify that the neighbor discovery process is working?

A.tcpdump -i eth0 icmp6
B.traceroute6
C.ip neigh show
D.ndp -n
AnswerC

This shows the neighbor discovery cache, including unresolved entries.

Why this answer

The 'ip neigh show' command displays the neighbor cache (equivalent to ARP table for IPv6), which is populated by the Neighbor Discovery Protocol (NDP). Since the default gateway is a link-local address (fe80::1), the host must have resolved the gateway's MAC address via NDP before it can send packets. If the neighbor entry is missing or incomplete (e.g., STALE or FAILED), it indicates that the neighbor discovery process is not working, which would explain the ping failure.

Exam trap

The trap here is that candidates confuse the Linux command 'ip neigh show' with the BSD command 'ndp -n', or they think that packet capture (tcpdump) is the only way to diagnose NDP issues, when in fact the neighbor cache provides a direct snapshot of the resolution state.

How to eliminate wrong answers

Option A is wrong because tcpdump -i eth0 icmp6 captures all ICMPv6 traffic, including Neighbor Solicitation and Advertisement messages, but it is a packet capture tool, not a direct verification tool for the neighbor cache state; it requires interpretation of raw packets and does not show the resolved neighbor entries. Option B is wrong because traceroute6 is used to trace the path packets take to a destination, not to verify the neighbor discovery process; it assumes Layer 2 connectivity is already working. Option D is wrong because ndp -n is a command used on BSD systems (not Linux) to display the neighbor cache; on Linux, the equivalent command is 'ip neigh show'.

99
Matchingmedium

Match each systemd unit type to its function.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Manages a daemon or process

Manages IPC or network socket

Triggers activation based on time events

Controls filesystem mount points

Groups units to define system states

Why these pairings

systemd uses unit files to manage system resources.

100
MCQmedium

A Linux server with two Ethernet interfaces (eth0 and eth1) has been set up as a transparent bridge using brctl. The bridge is up and shows both interfaces as members. However, hosts connected to eth0 cannot communicate with hosts on eth1. What is the most likely cause?

A.Spanning Tree Protocol (STP) is enabled and is blocking one of the ports.
B.The bridge filtering rules in ebtables are dropping frames.
C.The bridge has no IP address assigned.
D.The interfaces are not in promiscuous mode.
AnswerA

STP prevents network loops by placing redundant ports in blocking state, which can inadvertently block traffic until a port transitions to forwarding.

Why this answer

When Spanning Tree Protocol (STP) is enabled on a Linux bridge using brctl, it will automatically transition ports into the blocking state to prevent loops. If the bridge has only two ports and no redundant paths, STP may still keep one port in the blocking state (e.g., during the listening/learning phase or due to a misconfiguration), which prevents frames from being forwarded between eth0 and eth1. This is the most likely cause because STP is enabled by default in brctl and can block ports even in a simple two-port bridge.

Exam trap

The trap here is that candidates assume a transparent bridge with only two ports will always forward traffic immediately, forgetting that STP is enabled by default in brctl and can block ports even in simple topologies, leading them to incorrectly suspect missing IP addresses or promiscuous mode.

How to eliminate wrong answers

Option B is wrong because ebtables filtering rules are not configured by default and would require explicit setup to drop frames; the question states the bridge is set up with brctl and shows both interfaces as members, implying no custom filtering. Option C is wrong because a transparent bridge operates at Layer 2 and does not require an IP address to forward frames between interfaces; an IP address is only needed for management access. Option D is wrong because Ethernet interfaces in a bridge are automatically placed into promiscuous mode by the bridge code when added via brctl; this is handled transparently and is not a configurable step.

101
MCQeasy

An administrator needs to create a Linux bridge (br0) and add an Ethernet interface (eth1) to it for KVM virtual machine networking. Which set of commands accomplishes this task?

A.ifconfig br0 up; ifconfig eth1 up; brctl addbr br0; brctl addif br0 eth1
B.ip link add br0 type bridge; ip link set eth1 master br0
C.brctl addbr br0; brctl addif br0 eth1
D.brctl addbr br0; bridge fdb add dev eth1 master br0
AnswerC

Standard bridge-utils commands to create bridge and add interface.

Why this answer

Option C is correct because `brctl addbr br0` creates a new bridge interface named br0, and `brctl addif br0 eth1` adds the physical Ethernet interface eth1 as a port of that bridge. This is the standard sequence using the legacy bridge utilities to set up a bridge for KVM virtual machine networking, where eth1 becomes a member of br0, allowing VMs to share the physical network.

Exam trap

The trap here is that candidates often confuse the purpose of `bridge fdb` (which manages the forwarding database) with the command to add an interface to a bridge, or they assume that `ip link set ... master` alone is sufficient without bringing the bridge up.

How to eliminate wrong answers

Option A is wrong because it attempts to bring up the interfaces before creating the bridge, and the order of commands is incorrect; `ifconfig br0 up` will fail if br0 does not exist yet, and `brctl addbr br0` must come first. Option B is wrong because `ip link set eth1 master br0` is a valid modern command, but it is missing the step to bring the bridge up (e.g., `ip link set br0 up`) and the question asks for a set of commands that accomplishes the task; the provided commands alone would leave br0 in a down state, and the bridge would not function. Option D is wrong because `bridge fdb add dev eth1 master br0` is used to add a static forwarding database entry, not to attach an interface to a bridge; the correct command to add an interface to a bridge is `brctl addif` or `ip link set ... master`.

102
MCQhard

During boot, a server's video driver causes a freeze. At the GRUB2 menu, the administrator needs to interactively add the kernel parameter 'nomodeset' to the boot entry. Which key should be pressed to access the kernel command line editor?

A.a
B.e
C.Tab
D.c
AnswerB

Pressing 'e' allows editing the selected boot entry's commands and kernel parameters.

Why this answer

Option B is correct because pressing 'e' at the GRUB2 menu enters the edit mode for the selected boot entry, allowing the administrator to modify kernel parameters interactively. This is the standard GRUB2 keybinding to access the kernel command line editor, where 'nomodeset' can be added to the 'linux' line to disable kernel mode-setting and prevent the video driver from freezing during boot.

Exam trap

The trap here is that candidates confuse the GRUB2 interactive editor key 'e' with the GRUB legacy 'a' (append) or 'c' (command line), leading them to choose options that do not provide the full editing capability required to modify kernel parameters like 'nomodeset'.

How to eliminate wrong answers

Option A is wrong because pressing 'a' in GRUB2 appends kernel parameters to the boot command line without entering a full editor, which is less flexible and not the standard interactive editor for modifying boot entries. Option C is wrong because pressing Tab in GRUB2 typically cycles through boot entries or shows available completions, but does not open the kernel command line editor for parameter modification. Option D is wrong because pressing 'c' in GRUB2 opens the GRUB command-line interface (a shell-like environment), not the kernel command line editor for the current boot entry.

103
Multi-Selectmedium

Which THREE of the following are valid Linux bonding modes? (Choose three.)

Select 3 answers
A.link-aggregation
B.balance-rr
C.802.3ad
D.active-backup
E.802.1ad
AnswersB, C, D

Bonding mode 0, round-robin.

Why this answer

Balance-rr (round-robin) is a valid Linux bonding mode that transmits packets in sequential order from the first available slave to the last, providing load balancing and fault tolerance. It is one of the seven standard bonding modes defined in the Linux kernel bonding driver.

Exam trap

The trap here is confusing '802.3ad' (the correct bonding mode for LACP) with '802.1ad' (a VLAN stacking standard), leading candidates to select the wrong IEEE standard option.

104
MCQmedium

During boot, the kernel panics because the root filesystem cannot be mounted. Which kernel parameter should be added at the GRUB prompt to try an alternative root device?

A.root=/dev/sdb1
B.init=/bin/sh
C.rescue
D.single
AnswerA

The root= parameter explicitly specifies the root device.

Why this answer

The kernel parameter 'root=' specifies the device for the root filesystem. When the default root device fails to mount, adding 'root=/dev/sdb1' at the GRUB prompt overrides the compiled-in root and tells the kernel to attempt mounting from that alternative block device. This is the standard method to redirect the root mount during boot troubleshooting.

Exam trap

The trap here is that candidates confuse kernel parameters with bootloader commands or init system targets, mistakenly thinking 'rescue' or 'single' can fix a root device failure when they only affect post-mount behavior.

How to eliminate wrong answers

Option B is wrong because 'init=/bin/sh' specifies an alternative init program (a shell) to run after the root filesystem is mounted, but it does not change which device the kernel attempts to mount as root; the kernel will still panic if the root device itself is inaccessible. Option C is wrong because 'rescue' is not a valid kernel parameter; it is a systemd target or a GRUB menu entry label, not a parameter passed to the kernel to alter root device selection. Option D is wrong because 'single' sets the runlevel to single-user mode, which only affects the init process after a successful root mount; it does not change the root device and cannot prevent a kernel panic from a missing root filesystem.

105
MCQhard

A company uses a Samba server (version 4.12) on Ubuntu 20.04 to provide file sharing for the engineering department. The server has a share [projects] defined in smb.conf with the following parameters: `path = /srv/projects`, `valid users = @engineers`, `read only = no`, `create mask = 0660`, `directory mask = 0770`. All users in the engineers group can authenticate and list the share contents but they report that they cannot create new files or modify existing ones. The command `ls -ld /srv/projects` shows `drwxrwxr-x`, and the directory is owned by root:engineers. The sysadmin has confirmed that the file system permissions on /srv/projects are set to 2775, but the setgid bit does not appear in the ls output. Additionally, users are able to create files in other shares on the same server that are configured similarly. Which of the following is the most likely cause and solution?

A.The valid users parameter should be changed to include '%engineers' instead of '@engineers'.
B.The create mask is too restrictive. Change it to 0666 to allow more permissions.
C.The directory lacks the setgid bit and new files do not inherit the engineers group. Add `force group = engineers` and `inherit permissions = yes` to the share configuration.
D.The parameter `read only = no` is being overridden by a global setting. Add `writable = yes` to the share.
AnswerC

This forces new files to have the engineers group and propagates the setgid behavior, ensuring group write for all users.

Why this answer

The directory permissions shown (drwxrwxr-x) indicate the setgid bit is not set (missing 's' in group execute position). Without the setgid bit, new files inherit the user's primary group, which may not be 'engineers'. Additionally, files created by other users have wrong group, preventing group write.

Adding `force group = engineers` forces all new files to have the engineers group, and `inherit permissions = yes` ensures the setgid behavior. Option A would weaken security. Option B uses incorrect syntax.

Option D is incorrect because `read only = no` and `writable = yes` are equivalent.

106
MCQeasy

A system administrator needs to configure a Linux client to use a specific DNS server for a particular domain. Which file should be modified to achieve this?

A.Edit /etc/hosts
B.Edit /etc/networks
C.Edit /etc/nsswitch.conf
D.Edit /etc/resolv.conf
AnswerD

resolv.conf contains DNS server IPs and domain/search directives to specify default domains.

Why this answer

The /etc/resolv.conf file is the primary configuration file for DNS resolution on Linux systems. It allows specifying DNS servers (nameserver entries) and search domains, and can be configured to use a specific DNS server for a particular domain by adding a 'domain' or 'search' directive along with the appropriate nameserver. This file is read by the resolver library (glibc) during DNS lookups.

Exam trap

The trap here is that candidates often confuse /etc/resolv.conf with /etc/nsswitch.conf, thinking the latter controls DNS server selection, when in fact nsswitch.conf only defines the lookup order (e.g., files before dns) and not the actual DNS server addresses.

How to eliminate wrong answers

Option A is wrong because /etc/hosts is used for static IP-to-hostname mappings, not for specifying DNS servers per domain; it bypasses DNS entirely. Option B is wrong because /etc/networks maps network names to network numbers, not DNS server configuration. Option C is wrong because /etc/nsswitch.conf controls the order of name resolution sources (e.g., files, dns, mdns), but does not define which DNS server to use for a specific domain.

107
MCQhard

An organization uses LDAP for centralized authentication. The /etc/nsswitch.conf contains 'passwd: files ldap' and 'shadow: files ldap'. The /etc/pam.d/system-auth includes 'auth requisite pam_ldap.so' and 'account required pam_ldap.so'. However, users can log in using local accounts but not LDAP accounts. The ldapsearch command works correctly against the LDAP server. Logs show 'pam_ldap: error trying to bind as user (No such object)'. Which configuration change is most likely needed?

A.Open TCP port 389 on the client firewall.
B.Add 'uri ldaps://ldap.example.com' to /etc/ldap.conf.
C.Restart the nscd service.
D.Ensure /etc/ldap.conf contains a valid 'binddn' and 'bindpw' for the search user.
AnswerD

pam_ldap needs a bind DN to search for users.

Why this answer

The error 'pam_ldap: error trying to bind as user (No such object)' indicates that PAM LDAP cannot find the user entry in the LDAP directory. This typically occurs because the binddn (the search user) specified in /etc/ldap.conf is incorrect or missing, preventing PAM from performing the initial search to locate the user's DN. Since ldapsearch works manually, the LDAP server is reachable, but the PAM module lacks the credentials to bind and search for users.

Exam trap

The trap here is that candidates confuse a working ldapsearch (which may use anonymous bind or a different credential) with the PAM module's need for a dedicated binddn and bindpw, leading them to focus on network or caching issues instead of the missing authentication credentials for the search user.

How to eliminate wrong answers

Option A is wrong because the ldapsearch command works, proving TCP port 389 is already open and the client can reach the LDAP server; blocking the port would prevent ldapsearch from succeeding. Option B is wrong because the URI is already configured (as ldapsearch works), and changing to ldaps:// would require TLS setup and does not address the bind failure; the error is about binding, not transport security. Option C is wrong because restarting nscd (Name Service Cache Daemon) would only clear cached NSS lookups, but the error originates from PAM LDAP binding, not from NSS caching; nscd does not affect PAM authentication flows.

108
MCQhard

A developer has compiled a custom kernel with a new feature. The kernel modules are installed in /lib/modules/$(uname -r)/. However, when the system boots, the kernel fails to load some modules with 'Exec format error'. What is the most likely cause?

A.The kernel configuration has disabled module loading.
B.The modules were compiled against a different kernel version.
C.The modules have incorrect file permissions.
D.The modules are not properly ordered in the dependency file.
AnswerB

Exec format error occurs when module version doesn't match kernel.

Why this answer

The 'Exec format error' indicates that the kernel module binary is incompatible with the running kernel. This most commonly occurs when modules are compiled against a different kernel version (e.g., different kernel source tree or configuration), as the module's vermagic string must exactly match the kernel's vermagic. The kernel's module loader checks this version magic before loading; a mismatch causes the exec format error.

Exam trap

The trap here is that candidates confuse 'Exec format error' with file permission or dependency issues, but the error specifically points to an incompatible binary format, which is a hallmark of kernel version mismatch.

How to eliminate wrong answers

Option A is wrong because if module loading were disabled in the kernel configuration (CONFIG_MODULES=n), the kernel would not attempt to load modules at all, and the error would be different (e.g., 'module loading disabled') or modules would simply not be found. Option C is wrong because incorrect file permissions (e.g., not readable) would produce a 'Permission denied' error, not 'Exec format error'. Option D is wrong because improper ordering in the dependency file (modules.dep) would cause dependency resolution failures (e.g., 'Unknown symbol' or 'Required key not available'), not an exec format error, which is a binary format mismatch.

109
MCQhard

A security analyst notices that an /etc/pam.d/common-auth file contains the line 'auth required pam_tally2.so deny=5'. What is the effect?

A.Log failed attempts only
B.Password expiration after 5 days
C.Maximum 5 concurrent sessions
D.Account lockout after 5 failed login attempts
AnswerD

pam_tally2.so with deny=5 locks the account after 5 failed login attempts.

Why this answer

pam_tally2.so tracks failed login attempts. The deny=5 parameter locks the account after 5 consecutive failures. Other options misinterpret the parameter.

110
Drag & Dropmedium

Arrange the steps to configure a Linux system as an Apache virtual host.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

First create document root, then create site config, enable it, reload, and test.

111
MCQeasy

An administrator wants to configure a virtual IP address on interface eth0 with IP 192.168.1.100/24. Which command correctly adds the virtual IP as an alias?

A.ip addr add 192.168.1.100/24 dev eth0 alias eth0:0
B.ip addr add 192.168.1.100/24 dev eth0:0
C.ip addr add 192.168.1.100/24 dev eth0 label eth0:0
D.ifconfig eth0:0 192.168.1.100 netmask 255.255.255.0
AnswerB

This is the correct ip command to add a virtual IP alias.

Why this answer

Option B is correct because the `ip addr add` command with `dev eth0:0` directly assigns the IP address to the virtual interface `eth0:0`, which is the standard method in the `iproute2` suite for creating an alias. The `ip` command does not use an `alias` keyword; instead, the device name itself (e.g., `eth0:0`) defines the alias. This approach is consistent with modern Linux networking, replacing the deprecated `ifconfig` method.

Exam trap

The trap here is that candidates often confuse the `ip` command's syntax with the older `ifconfig` syntax, mistakenly using the `alias` keyword or misapplying the `label` parameter, when in fact `iproute2` requires the alias to be specified as part of the device name (e.g., `eth0:0`).

How to eliminate wrong answers

Option A is wrong because the `ip addr add` command does not support an `alias` parameter; the `alias` keyword is a legacy `ifconfig` feature and is invalid in `iproute2`. Option C is wrong because the `label` parameter is used with `ip addr add` to set a human-readable label for the address, but the device must still be specified with `dev eth0`, not `dev eth0:0`; using `label eth0:0` without the correct device syntax does not create a proper alias. Option D is wrong because while `ifconfig eth0:0 192.168.1.100 netmask 255.255.255.0` would technically work, it is deprecated and not the recommended command for modern Linux distributions; the question asks for the correct command, and `ip` is the preferred tool.

112
MCQhard

A system administrator is responsible for a production server running a custom-compiled Linux kernel version 5.15. After a routine update of the kernel source and recompilation, the server fails to boot. The error message on the console is: 'Kernel panic - not syncing: No working init found. Try passing init= option to kernel.' The administrator verifies that the root filesystem is intact by booting from a live USB and mounting the root partition. The filesystem contains the usual /sbin/init (symlinked to systemd). The administrator also checks the boot loader configuration and sees that the kernel command line includes 'root=/dev/sda1 ro'. The init binary exists and is executable. Which of the following is the most likely cause of this boot failure?

A.The boot loader's 'initrd' directive is missing or points to a non-existent file
B.The kernel was compiled without support for the ext4 filesystem
C.The init binary is missing or corrupted
D.The root filesystem is corrupted and cannot be mounted properly
AnswerA

Without an initramfs, the kernel may fail to properly set up the root filesystem, causing 'No working init found' if the initramfs was expected to contain the init or necessary modules.

Why this answer

The error 'No working init found' indicates the kernel successfully mounted the root filesystem but could not execute the init binary. Since the administrator confirmed the init binary exists and is executable on the root partition, the most likely cause is that the kernel did not have access to the necessary drivers or modules to properly access the root filesystem at boot time. The missing or misconfigured initrd (initial RAM disk) directive means the kernel lacks the temporary root filesystem containing essential modules (e.g., storage controller drivers) needed to mount the real root filesystem, leading to the kernel falling back to a failed init search.

Exam trap

LPI often tests the misconception that 'No working init found' always means the init binary is missing or corrupted, when in fact it often results from the kernel being unable to access the root filesystem due to a missing initrd or missing storage drivers.

How to eliminate wrong answers

Option B is wrong because if the kernel lacked ext4 support, the root filesystem would fail to mount entirely, resulting in a 'VFS: Cannot open root device' error, not a 'No working init found' message. Option C is wrong because the administrator explicitly verified that the init binary exists and is executable on the root partition. Option D is wrong because the administrator confirmed the root filesystem is intact by mounting it from a live USB, and a corrupted filesystem would typically produce I/O errors or a 'mount: unknown filesystem type' message, not a successful mount followed by an init failure.

113
Multi-Selectmedium

Which TWO statements about VLAN tagging are correct?

Select 2 answers
A.VLAN tagging can only be used with Ethernet
B.VLAN tags are always 12 bits
C.Untagged frames on a trunk port are typically assigned to the native VLAN
D.VLAN tags are added by the switch, not the host
E.Linux can use VLAN interfaces with 802.1q tags
AnswersC, E

Standard behavior: untagged traffic on a trunk belongs to native VLAN.

Why this answer

Option C is correct because on a trunk port, frames that do not carry a VLAN tag are considered to belong to the native VLAN. The switch forwards these untagged frames as part of the native VLAN, which is typically VLAN 1 by default but can be configured to any VLAN. This behavior is defined in IEEE 802.1Q and is essential for interoperability with devices that do not support VLAN tagging.

Exam trap

The trap here is that candidates often assume VLAN tags are always 12 bits, confusing the VLAN ID field with the entire tag, or they think only switches can add tags, missing the fact that hosts (e.g., Linux with 802.1Q interfaces) can also tag frames.

114
MCQeasy

A system fails to boot with a kernel panic: 'Kernel panic - not syncing: VFS: Unable to mount root fs on unknown-block(0,0)'. The administrator suspects the root filesystem is not being detected. Which kernel parameter should be checked first?

A.init=/sbin/init
B.root=/dev/sda1
C.ro
D.panic=10
AnswerB

The root parameter tells the kernel which device to mount as root.

Why this answer

The kernel panic 'VFS: Unable to mount root fs on unknown-block(0,0)' indicates the kernel cannot locate the root filesystem. The 'root=' kernel parameter specifies the device for the root filesystem (e.g., root=/dev/sda1). Checking this parameter first is critical because if it is missing, incorrect, or the device name is wrong, the kernel will fail to mount the root filesystem and panic.

Exam trap

The trap here is that candidates often confuse kernel parameters that affect boot behavior (like 'ro' or 'panic') with the one that actually tells the kernel where the root filesystem lives, leading them to overlook the 'root=' parameter.

How to eliminate wrong answers

Option A is wrong because 'init=/sbin/init' specifies the path to the init program, not the root filesystem device; it does not affect VFS root mounting. Option C is wrong because 'ro' mounts the root filesystem as read-only, but it does not specify which device to use; the kernel still needs a valid 'root=' parameter. Option D is wrong because 'panic=10' sets a timeout (in seconds) before the kernel reboots after a panic, but it does not help the kernel find or mount the root filesystem.

115
MCQmedium

Refer to the exhibit. A user in the group 'staff' attempts to access the share 'share' from a Windows client. The user is prompted for credentials and authenticates successfully, but cannot write any files. What is the most likely reason?

A.The passdb backend is set to tdbsam, which does not support write operations.
B.The share has guest ok = No, which prevents guest access.
C.The valid users parameter does not include the user.
D.The share has read only = Yes, which prevents writes even for authenticated users.
AnswerD

The 'read only' parameter overrides all write permissions.

Why this answer

Option D is correct because the `read only = Yes` parameter in a Samba share definition explicitly prevents all write operations, even for authenticated users. When this parameter is set, Samba enforces read-only access at the share level, overriding any user or group permissions that might otherwise allow writes. Since the user authenticates successfully but cannot write, the most direct cause is this share-level restriction.

Exam trap

The trap here is that candidates often overlook the `read only = Yes` parameter and instead focus on authentication or user inclusion, assuming that successful authentication implies write access, but Samba's share-level read-only flag overrides all user permissions.

How to eliminate wrong answers

Option A is wrong because `passdb backend = tdbsam` is a valid backend that fully supports write operations; it stores user credentials and does not affect file write permissions. Option B is wrong because `guest ok = No` only disables guest (anonymous) access, requiring authentication, which the user has already completed successfully. Option C is wrong because if `valid users` did not include the user, the user would be denied access entirely (not prompted for credentials or allowed to authenticate), and the question states the user authenticates successfully.

116
Multi-Selecteasy

Which TWO files are commonly used by Samba for configuration and user authentication? (Choose two.)

Select 2 answers
A./etc/samba/smbusers
B./etc/passwd
C./etc/samba/smbpasswd
D./etc/hosts.allow
E./etc/samba/smb.conf
AnswersC, E

Stores Samba user passwords.

Why this answer

Option C is correct because `/etc/samba/smbpasswd` is the traditional Samba password file used for user authentication in Samba's own encrypted password format (LM/NT hashes). Option E is correct because `/etc/samba/smb.conf` is the primary Samba configuration file that defines shares, global settings, and security parameters. Both files are essential for Samba's operation: `smb.conf` controls the server behavior, while `smbpasswd` stores user credentials for SMB/CIFS authentication.

Exam trap

The trap here is that candidates often confuse `/etc/samba/smbusers` (user mapping) with authentication files, or mistakenly think `/etc/passwd` is a Samba-specific file, when in fact Samba uses its own password storage separate from the system's `/etc/passwd`.

117
MCQeasy

In Samba 4, what is the default security mode when no 'security' parameter is set in the [global] section?

A.ads
B.share
C.domain
D.user
AnswerD

Samba defaults to user-level security.

Why this answer

In Samba 4, when no 'security' parameter is explicitly set in the [global] section, the default security mode is 'user'. This means clients must authenticate with a valid username and password, and Samba validates credentials against the local passdb backend (e.g., tdbsam or LDAP). This default has been consistent since Samba 3.x and ensures that each connection is tied to a specific user identity.

Exam trap

The trap here is that candidates may confuse the historical 'share' security mode (which was the default in very early Samba versions) with the modern default, or mistakenly think that Samba 4 defaults to 'domain' or 'ads' because of its Active Directory integration capabilities, but the actual default remains 'user' for backward compatibility and security.

How to eliminate wrong answers

Option A is wrong because 'ads' (Active Directory Security) is not the default; it requires explicit configuration to join an Active Directory domain and uses Kerberos for authentication. Option B is wrong because 'share' security mode was deprecated in Samba 3.x and removed in Samba 4; it allowed password-less guest access per share, which is insecure and no longer supported as a security mode. Option C is wrong because 'domain' security mode is used when Samba is a domain member in a legacy NT4-style domain, but it is not the default; it requires explicit setup and is less common in modern deployments.

118
MCQmedium

An organization is migrating from SysV init to systemd. What systemd command should be used to check the status of the HTTP service?

A.systemd-analyze httpd
B.systemctl list-units httpd
C.systemd status httpd
D.systemctl status httpd
AnswerD

This command shows whether the service is active, enabled, and other details.

Why this answer

The correct command to check the status of a service in systemd is `systemctl status httpd`. This command displays the current state, recent log entries, and process details for the specified unit. The `systemctl` utility is the primary interface for managing systemd services, while `systemd` itself is the init system daemon, not a user-facing command.

Exam trap

The trap here is that candidates confuse `systemd` (the daemon) with `systemctl` (the control tool), leading them to choose `systemd status httpd` instead of the correct `systemctl status httpd`.

How to eliminate wrong answers

Option A is wrong because `systemd-analyze` is used for analyzing boot performance and dependency trees, not for checking service status; `systemd-analyze httpd` would fail as it expects subcommands like `blame` or `critical-chain`. Option B is wrong because `systemctl list-units httpd` lists all loaded units matching the pattern, but it does not show detailed status, logs, or process information; it only shows whether the unit is active or inactive. Option C is wrong because `systemd status httpd` is not a valid command; `systemd` is the system and service manager daemon, not a command-line tool for querying service status.

119
MCQhard

You are a systems administrator for a company that runs a critical web server on a Linux system. The server has been running stably for months, but after a recent kernel update from version 5.10.0-8 to 5.10.0-9, the server fails to boot. The boot process starts, but after the kernel loads, the system hangs with no output on the console. You have physical access to the server and can interrupt the boot process. The server uses GRUB 2 as the bootloader and the root filesystem is on an LVM logical volume. The previous kernel (5.10.0-8) is still present in /boot. Which of the following is the best course of action to restore the server to a working state?

A.Interrupt the boot process at GRUB, select the advanced options, and boot the old kernel 5.10.0-8.
B.Reinstall GRUB from a live CD to fix the bootloader configuration.
C.Boot from a live CD, chroot into the system, and reinstall the new kernel package.
D.Boot from a live CD, chroot into the system, and rebuild the initrd for the new kernel.
AnswerA

This restores functionality immediately, allowing later troubleshooting of the new kernel.

Why this answer

The server fails to boot after a kernel update, but the previous kernel is still present in /boot. By interrupting GRUB 2 at boot, selecting 'Advanced options for Ubuntu' (or similar), and booting the old kernel 5.10.0-8, you bypass the problematic new kernel without modifying the bootloader or filesystem. This is the fastest, least invasive recovery method because GRUB 2 automatically detects and lists all installed kernels in /boot, including the previous one.

Exam trap

The trap here is that candidates assume the boot process failed due to a corrupted bootloader or initrd, when in fact the kernel itself is the culprit, and the simplest recovery is to boot the previous kernel from GRUB's advanced menu.

How to eliminate wrong answers

Option B is wrong because reinstalling GRUB from a live CD addresses bootloader corruption or missing configuration, but the problem is a kernel-level hang after the kernel loads, not a bootloader failure. Option C is wrong because reinstalling the new kernel package does not fix the underlying issue (e.g., a bug in the kernel or incompatible module); it would reinstall the same broken kernel. Option D is wrong because rebuilding the initrd for the new kernel assumes the issue is a missing or corrupted initramfs, but the system hangs after the kernel loads, indicating the kernel itself is faulty, not the initrd.

120
MCQmedium

A company uses NIS for user authentication. A client cannot log in with network accounts but local accounts work. Which command should be used to check if the client is bound to the NIS domain?

A.ypwhich
B.ypset
C.ypcat passwd
D.domainname
AnswerA

Displays the NIS server currently bound.

Why this answer

The `ypwhich` command is used to display the NIS server to which the client is currently bound. If the client is not bound to any NIS domain, `ypwhich` returns an error, confirming the binding issue. This directly checks the NIS client-server binding, which is essential for network authentication.

Exam trap

The trap here is that candidates often confuse `domainname` (which only shows the configured NIS domain) with `ypwhich` (which confirms active binding to a server), leading them to pick D when the actual issue is a missing or failed binding.

How to eliminate wrong answers

Option B is wrong because `ypset` is used to manually set the NIS server binding for a client, not to check the current binding. Option C is wrong because `ypcat passwd` retrieves the password map from the NIS server, but it will fail if the client is not bound, and it does not directly verify binding status. Option D is wrong because `domainname` shows or sets the system's NIS/YP domain name, but it does not verify whether the client is actually bound to an NIS server; a client can have a domain name set but still be unbound.

121
MCQhard

A Linux router is experiencing asymmetric routing issues. The network has two internet connections (ISP1 and ISP2) with default routes. The administrator wants to ensure that traffic originating from a specific source IP uses ISP1 for both incoming and outgoing packets. Which ip rule configuration achieves this?

A.ip rule add from 10.0.0.10 to 0/0 table isp1; ip route add default via 1.1.1.1 table isp1; ip rule add to 10.0.0.10 table isp1
B.ip rule add from 10.0.0.10 table isp1; ip route add default via 1.1.1.1 table isp1; sysctl -w net.ipv4.conf.all.rp_filter=0
C.ip rule add from 10.0.0.10 table isp1; ip route add default via 1.1.1.1 table isp1
D.ip rule add from 10.0.0.10 table isp1; ip route add default via 1.1.1.1
AnswerB

Policy routing with table-specific default and disabled rp_filter allows asymmetric routing.

Why this answer

Option B is correct because it creates a policy routing rule that matches traffic from source IP 10.0.0.10 and directs it to a custom routing table named 'isp1', which contains a default route via ISP1's gateway (1.1.1.1). Additionally, disabling reverse path filtering (rp_filter=0) is essential to allow asymmetric routing — without it, the kernel would drop return packets arriving via a different interface than the one used for outgoing traffic, which is exactly the scenario in asymmetric routing.

Exam trap

The trap here is that candidates often forget to disable reverse path filtering (rp_filter) when implementing policy routing for asymmetric paths, assuming that adding the policy rule and custom table is sufficient, but the kernel's default strict rp_filter will silently drop return packets that arrive on a different interface.

How to eliminate wrong answers

Option A is wrong because it adds an unnecessary 'to 10.0.0.10' rule that attempts to match destination IP 10.0.0.10 for incoming traffic, but policy routing rules for incoming packets use 'from' not 'to' to match the source; this rule would never match return traffic and does not address the asymmetric routing issue. Option C is wrong because it omits the critical step of disabling reverse path filtering (rp_filter=0); without this, the kernel's default rp_filter (strict mode) will drop packets that arrive on an interface different from the one used for the outgoing route, breaking asymmetric routing. Option D is wrong because it adds the default route to the main routing table instead of the custom 'isp1' table; this means the policy rule directs traffic to table 'isp1', but that table is empty, so the traffic will not be routed via ISP1's gateway.

122
Multi-Selecthard

An administrator is configuring a BIND 9 DNS server to support DNSSEC for the zone 'example.com'. The zone is signed using the NSEC3 algorithm. Which TWO statements are correct regarding the configuration and operation of NSEC3?

Select 2 answers
A.NSEC3 records are stored in the zone in plain text order to allow efficient denial of existence.
B.The NSEC3 record uses the 'opt-out' flag to allow insecure delegations to exist without being covered by NSEC3 records.
C.The NSEC3 record type is NXT and is used to provide authenticated denial of existence.
D.NSEC3 uses SHA-256 as the default hash algorithm.
E.NSEC3 provides authenticated denial of existence while making zone enumeration more difficult than NSEC.
AnswersB, E

Opt-out allows delegations that are not signed to be skipped.

Why this answer

Option B is correct because the NSEC3 specification (RFC 5155) includes an 'opt-out' flag that allows insecure delegations (i.e., delegations that are not signed with DNSSEC) to exist in a zone without requiring corresponding NSEC3 records. This prevents the zone from being forced to cover every possible owner name, reducing the size of the signed zone and improving performance when many unsigned delegations are present.

Exam trap

The trap here is that candidates often confuse NSEC3 with NSEC, assuming NSEC3 also uses plain-text ordering or that it always covers all names, when in fact NSEC3 uses hashed ordering and the opt-out flag allows skipping unsigned delegations.

123
MCQmedium

A Linux client is configured with the following in /etc/nslcd.conf: 'uri ldap://10.0.0.1/', 'base dc=example,dc=com'. Which command can be used to test connectivity to the LDAP server and verify the base DN?

A.authconfig --test
B.ldapsearch -x -H ldap://10.0.0.1 -b dc=example,dc=com
C.getent passwd
D.nslcd -d
AnswerB

Directly tests LDAP query.

Why this answer

The `ldapsearch` command with `-x` (simple authentication), `-H ldap://10.0.0.1` (specifying the LDAP URI), and `-b dc=example,dc=com` (setting the search base DN) directly performs an anonymous LDAP search against the server. If the server is reachable and the base DN exists, it returns entries, confirming both connectivity and the validity of the base DN. This matches the configuration in `/etc/nslcd.conf` and is the standard tool for testing LDAP server responses.

Exam trap

The trap here is that candidates may confuse local authentication testing tools (authconfig, getent) or daemon debugging (nslcd -d) with a direct, protocol-level LDAP query, which is the only reliable method to independently verify server connectivity and base DN validity.

How to eliminate wrong answers

Option A is wrong because `authconfig --test` only tests the local system authentication configuration (e.g., SSSD, LDAP, Kerberos settings) and does not perform an actual LDAP query to verify server connectivity or the base DN. Option C is wrong because `getent passwd` queries the local system's configured name services (via nsswitch.conf) and may return cached or fallback data; it does not directly test LDAP server connectivity or the base DN, and can succeed even if the LDAP server is unreachable if other sources are available. Option D is wrong because `nslcd -d` runs the nslcd daemon in debug mode, which logs connection attempts and errors but does not perform a single, controlled test of connectivity and base DN; it requires interpreting daemon output and may not immediately reveal a base DN mismatch.

124
MCQhard

An administrator needs to configure a Linux client to automatically obtain an IP address from a DHCP server but also ensure that the client uses a specific static DNS server (8.8.8.8) regardless of the DHCP-provided DNS. Which configuration should be applied?

A.Add 'append domain-name-servers 8.8.8.8;' to /etc/dhcp/dhclient.conf
B.Edit /etc/sysconfig/network-scripts/ifcfg-eth0 and set PEERDNS=no and DNS1=8.8.8.8
C.Add 'prepend domain-name-servers 8.8.8.8;' to /etc/dhcp/dhclient.conf
D.Add 'supersede domain-name-servers 8.8.8.8;' to /etc/dhcp/dhclient.conf
AnswerD

supersede overrides the DHCP-provided DNS servers with the specified one.

Why this answer

Option D is correct because the `supersede` directive in `/etc/dhcp/dhclient.conf` forces the DHCP client to replace any DNS server addresses received from the DHCP server with the specified value (8.8.8.8). This ensures the client uses the static DNS server regardless of what the DHCP server offers, while still obtaining its IP address dynamically.

Exam trap

The trap here is that candidates often confuse `prepend` (which adds a DNS server but does not remove DHCP-provided ones) with `supersede` (which completely replaces the DHCP-provided list), leading them to choose option C instead of D.

How to eliminate wrong answers

Option A is wrong because `append` adds the specified DNS server to the end of the list provided by the DHCP server, meaning the DHCP-provided DNS servers would still be used (and may take precedence). Option B is wrong because it applies to NetworkManager or legacy sysconfig scripts on Red Hat-based systems, not to the DHCP client configuration itself; setting `PEERDNS=no` prevents the DHCP client from modifying `/etc/resolv.conf`, but the DNS server would need to be set elsewhere, and this approach is distribution-specific and not the standard method for overriding DHCP DNS on a generic Linux client. Option C is wrong because `prepend` adds the specified DNS server to the beginning of the list, which makes it the primary resolver, but the DHCP-provided DNS servers are still present and could be used as fallbacks, which does not guarantee that only 8.8.8.8 is used.

125
Multi-Selectmedium

Which TWO Samba security modes are considered insecure and should be avoided? (Choose two.)

Select 2 answers
A.share
B.server
C.domain
D.user
E.ads
AnswersA, B

Share-level security is deprecated and insecure.

Why this answer

Samba's 'share' security mode (deprecated in Samba 3.0) and 'server' security mode (removed in Samba 3.6) are both considered insecure. 'share' mode allowed anonymous access without per-user authentication, relying on share-level passwords that were transmitted in plaintext or weak hashes. 'server' mode delegated authentication to another Samba server (e.g., 'security = server' with 'password server = *'), which often fell back to plaintext or LANMAN hashes over an unencrypted connection, exposing credentials to interception.

Exam trap

The trap here is that candidates confuse 'share' and 'server' with modern Samba modes like 'user' or 'domain', or mistakenly think 'server' refers to a secure server role, when in fact both are deprecated legacy modes that lack encrypted per-user authentication.

126
Drag & Dropmedium

Arrange the steps to configure a Linux server as an NFS client that mounts a remote export.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

The NFS client needs the nfs-common package, a mount point, an fstab entry, then mounting and verification.

127
Multi-Selectmedium

Which TWO global parameters can be used to control the security mode of a Samba server?

Select 2 answers
A.security
B.map to guest
C.netbios name
D.workgroup
E.server string
AnswersA, B

Sets the security mode (user, ads, etc.).

Why this answer

The `security` parameter is the primary global setting that defines the Samba server's security mode (e.g., user, domain, ads, server). The `map to guest` parameter controls how Samba handles authentication failures by optionally mapping invalid users to the guest account, effectively modifying the security behavior. Both are global parameters that directly influence the security mode of the Samba server.

Exam trap

The trap here is that candidates may confuse `map to guest` as a non-security parameter, but it directly alters the security posture by controlling guest fallback, making it a valid global security mode control alongside `security`.

128
Multi-Selectmedium

Which TWO commands can be used to connect to a Samba share from a Linux command line?

Select 2 answers
A.sshfs
B.smbclient
C.nfsmount
D.mount.cifs
E.ftp
AnswersB, D

smbclient can connect to SMB shares and list files.

Why this answer

B is correct because smbclient is a command-line tool that uses the SMB/CIFS protocol to connect to Samba shares, allowing file transfers and directory listing. D is correct because mount.cifs is a helper program that mounts a Samba share to a local directory using the CIFS filesystem type, enabling direct file access via the kernel's cifs module.

Exam trap

The trap here is that candidates confuse sshfs (SSH-based) or nfsmount (NFS-based) with Samba tools, or assume ftp can access Samba shares, when only SMB/CIFS-specific commands like smbclient and mount.cifs are valid.

129
MCQhard

A system administrator needs to configure a VPN tunnel using WireGuard. The private key of the local peer is stored in /etc/wireguard/private.key. Which command should be used to set the private key via wg-quick?

A.PostUp = wg set %i private-key /etc/wireguard/private.key
B.PrivateKey = /etc/wireguard/private.key
C.Key = private-key /etc/wireguard/private.key
D.PrivateKey = $(cat /etc/wireguard/private.key)
AnswerD

Command substitution reads the file and expands to its content.

Why this answer

Option D is correct because the `PrivateKey` directive in a WireGuard configuration file expects the actual private key value, not a file path. Using `$(cat /etc/wireguard/private.key)` performs command substitution to read the key file and insert its contents directly into the configuration, which is the proper method for `wg-quick`.

Exam trap

The trap here is that candidates confuse the `PrivateKey` directive with a file path, similar to how some other tools (like OpenVPN) accept a file reference, but WireGuard requires the literal key value in the configuration file.

How to eliminate wrong answers

Option A is wrong because `wg set %i private-key` is a `wg` command, not a valid `wg-quick` configuration directive; `PostUp` can execute arbitrary commands, but the syntax shown is incorrect (it should be `wg set %i private-key /etc/wireguard/private.key` without the word 'private-key' as a separate argument, and even then, it's not the standard way to set the key in the config file). Option B is wrong because `PrivateKey = /etc/wireguard/private.key` treats the file path as the key value itself, which is invalid; WireGuard requires the base64-encoded private key string, not a path. Option C is wrong because `Key` is not a valid directive in WireGuard configuration; the correct directive is `PrivateKey`, and the syntax `Key = private-key /etc/wireguard/private.key` is nonsensical.

130
MCQmedium

Refer to the exhibit. A user reports that they can connect to the 'shared' share from a Windows client and read files, but cannot write any files. The share permissions on the filesystem are set to 777 on /srv/samba/shared. What is the most likely cause of the write failure?

A.The 'guest ok = yes' parameter prevents writes for authenticated users.
B.The global 'create mask = 0700' restricts the permissions of newly created files, and the share is using a default user with no write permission.
C.The 'read only = no' parameter is overridden by the 'printable = yes' in the printers share.
D.The 'browseable = yes' parameter prevents writing by design.
AnswerB

Correct. The create mask applies to all shares, and if the user does not match the owner, they may not have write access to new files.

Why this answer

Option B is correct because the global `create mask = 0700` setting in the Samba configuration restricts the permissions of newly created files to owner-only read/write/execute. When a user connects to the share, Samba maps them to a default user (e.g., `nobody` or `guest`) if no specific user mapping is configured. Since the default user is not the owner of the files, the 0700 mask prevents write access, even though the filesystem permissions on `/srv/samba/shared` are 777.

The `read only = no` in the share definition allows writes in principle, but the create mask overrides the effective permissions for file creation.

Exam trap

The trap here is that candidates assume filesystem permissions (777) alone guarantee write access, overlooking how Samba's `create mask` and `force user` settings can silently restrict effective permissions at the protocol level.

How to eliminate wrong answers

Option A is wrong because `guest ok = yes` allows guest connections but does not inherently prevent writes for authenticated users; it only affects guest access, and the issue here is about a user who can connect and read but not write. Option C is wrong because `read only = no` is not overridden by `printable = yes` in a different share (printers); each share has its own configuration, and the printers share does not affect the 'shared' share. Option D is wrong because `browseable = yes` controls whether the share appears in network browsing lists, not whether writing is allowed; write access is governed by `read only`, `writable`, and permission masks.

131
MCQhard

A Linux workstation must be configured to automatically mount an NFS share from server nfs.example.com:/exports/data at boot time. The share should be mounted with noexec and nosuid options. Which line should be added to /etc/fstab?

A.nfs.example.com:/exports/data /mnt/data nfs noexec,nosuid,_netdev 0 0
B.nfs.example.com:/exports/data /mnt/data nfs noexec,nosuid,_netdev 0 0
C.nfs.example.com:/exports/data /mnt/data auto noexec,nosuid,_netdev 0 0
D.nfs.example.com:/exports/data /mnt/data nfs4 noexec,nosuid 0 0
AnswerB

Correct syntax: server:path, mount point, filesystem type, options with _netdev, and dump/pass fields.

Why this answer

Option B is correct because it specifies the NFS filesystem type, includes the required mount options (noexec, nosuid, _netdev), and uses the correct fstab format. The _netdev option is critical for network filesystems to ensure the system waits for network availability before attempting the mount at boot time.

Exam trap

The trap here is that candidates often forget the _netdev option for network filesystems, assuming that specifying 'nfs' as the filesystem type is sufficient, but without _netdev the mount may fail at boot if the network is not yet ready.

How to eliminate wrong answers

Option A is wrong because it is identical to option B and thus not a distinct incorrect answer; the question expects B as the correct choice. Option C is wrong because it uses 'auto' as the filesystem type instead of 'nfs', which may cause the system to probe for the filesystem type and potentially fail or behave incorrectly. Option D is wrong because it omits the _netdev option, which is necessary for network filesystems to prevent boot delays or failures when the network is not yet available; also, using 'nfs4' is acceptable but without _netdev it is incomplete.

132
Matchingmedium

Match each kernel parameter to its effect.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Enables IP forwarding between interfaces

Sets the system's hostname

Controls tendency to swap memory pages

Maximum receive socket buffer size

Maximum number of open file descriptors

Why these pairings

These sysctl parameters are commonly tuned in Linux.

133
MCQeasy

A system administrator wants to allow incoming SSH connections from only the 192.168.1.0/24 network on a Linux server. Which iptables rule accomplishes this?

A.iptables -A INPUT -p tcp --dport 22 -d 192.168.1.0/24 -j ACCEPT
B.iptables -A INPUT -p udp --dport 22 -s 192.168.1.0/24 -j ACCEPT
C.iptables -A FORWARD -p tcp --dport 22 -s 192.168.1.0/24 -j ACCEPT
D.iptables -A INPUT -p tcp --dport 22 -s 192.168.1.0/24 -j ACCEPT
AnswerD

This rule correctly matches incoming SSH traffic from the specified source net.

Why this answer

Option D is correct because it appends a rule to the INPUT chain that matches TCP traffic destined for port 22 (SSH) from source IP range 192.168.1.0/24 and accepts it. This restricts incoming SSH connections to only the specified network, which is the intended behavior.

Exam trap

The trap here is confusing the INPUT and FORWARD chains, or swapping the source (-s) and destination (-d) flags, leading candidates to choose a rule that either filters the wrong direction or applies to the wrong packet flow.

How to eliminate wrong answers

Option A is wrong because it uses the destination flag (-d) instead of the source flag (-s), which would match traffic destined to the 192.168.1.0/24 network rather than traffic originating from it. Option B is wrong because SSH uses TCP, not UDP; specifying UDP on port 22 would not match SSH traffic. Option C is wrong because it adds the rule to the FORWARD chain, which handles traffic passing through the server, not traffic destined for the server itself; incoming SSH connections to the server are processed by the INPUT chain.

134
MCQmedium

Windows clients cannot see the Samba server in Network Neighborhood, but they can access shares by typing the UNC path. Which Samba daemon must be running?

A.smbd
B.samba
C.winbindd
D.nmbd
AnswerD

nmbd provides NetBIOS name resolution and browsing.

Why this answer

The nmbd daemon is responsible for NetBIOS name resolution and browsing, which enables Windows clients to discover Samba servers in Network Neighborhood. When nmbd is not running, clients can still connect via UNC paths because smbd handles file sharing directly, but browsing and name resolution fail.

Exam trap

LPI often tests the distinction between smbd (file sharing) and nmbd (browsing/name resolution), trapping candidates who assume that file access implies browsing capability.

How to eliminate wrong answers

Option A is wrong because smbd provides file and print sharing services, not NetBIOS browsing or name resolution; it handles actual data transfer once a connection is established. Option B is wrong because 'samba' is not a standard daemon name; the correct daemon for browsing is nmbd, and the samba package includes multiple daemons. Option C is wrong because winbindd resolves user and group information from Windows domain controllers, not NetBIOS name resolution or browsing.

135
MCQhard

Refer to the exhibit. Which kernel version will be booted by default when using a standard GRUB2 configuration that uses the symlinks vmlinuz and initrd.img?

A.Depends on GRUB_DEFAULT setting, but if not set, it will boot the highest versioned kernel
B.It will prompt to choose between the two kernels
C.5.10.0-9-amd64
D.5.10.0-8-amd64
AnswerC

The symlinks are updated to point to the latest installed kernel, so GRUB uses that as default.

Why this answer

In a standard GRUB2 configuration, the symlinks `vmlinuz` and `initrd.img` point to the latest installed kernel version. When GRUB2 generates its boot menu using `update-grub` (or `grub-mkconfig`), it reads these symlinks to create the default boot entry. Therefore, the default booted kernel is the one pointed to by these symlinks, which in this case is 5.10.0-9-amd64.

Exam trap

The trap here is that candidates assume GRUB2 automatically selects the highest versioned kernel based on version string comparison, when in reality it relies on the symlinks `vmlinuz` and `initrd.img` to determine the default boot entry.

How to eliminate wrong answers

Option A is wrong because GRUB_DEFAULT is typically set to '0' (the first menu entry) by default, not to a version-based selection; the default entry is determined by the order in `/boot/grub/grub.cfg`, which uses the symlinks, not the highest versioned kernel automatically. Option B is wrong because GRUB2 does not prompt to choose between kernels unless the user manually interrupts the boot process or has a custom configuration; the default behavior is to boot the first entry without prompting. Option D is wrong because 5.10.0-8-amd64 is an older kernel version; the symlinks `vmlinuz` and `initrd.img` are updated to point to the newest installed kernel after each kernel package update, so the default boot entry will be 5.10.0-9-amd64.

136
MCQhard

You are the administrator for a small office network with 20 Linux workstations and 5 Windows 10 clients. The company uses a Samba server (version 4.15) running on Ubuntu 22.04 to share a central directory /data with user-level security. Each user has a home directory on the server, and all users are in the 'staff' group. Recently, users have complained that they can access the /data share from Windows but cannot modify any files, even though they could before. The Samba configuration for the share is: [data] path = /data browseable = yes read only = no valid users = @staff create mask = 0660 directory mask = 0770 force group = staff You check the filesystem permissions on /data and find it is owned by root:staff with permissions 775. Files inside are owned by individual users and group staff with permissions 664. You also check smbstatus and see that users are connected as 'guest' rather than their actual username. What is the most likely cause of the problem?

A.The 'valid users = @staff' directive excludes root, so users cannot write because the share is owned by root.
B.The 'force group = staff' parameter overrides file ownership and prevents writes because the files are owned by root.
C.The global 'map to guest = Bad User' setting is causing users who mistype their password to be mapped to the guest account, losing write permissions.
D.The 'create mask = 0660' is too restrictive and prevents users from writing to existing files.
AnswerC

Correct. This is a common misconfiguration; users connect as guest if password fails, and guest may not have write access.

Why this answer

The 'map to guest = Bad User' global setting in Samba causes any user who fails authentication (e.g., due to a typo or incorrect password) to be mapped to the guest account. Since the share does not define a 'guest ok' or 'guest only' setting, and the guest account typically has no write permissions on the /data directory, users connected as guest cannot modify files. The smbstatus output confirming users are connected as 'guest' directly points to this misconfiguration.

Exam trap

The trap here is that candidates often focus on filesystem permissions or mask values, overlooking the global 'map to guest' setting which silently downgrades authenticated users to guest, stripping write access despite correct share-level permissions.

How to eliminate wrong answers

Option A is wrong because the 'valid users = @staff' directive does not exclude root; root is not a member of staff by default, but the share is owned by root:staff, and root can always access files regardless of valid users. Option B is wrong because 'force group = staff' only changes the group of new files to staff, not ownership, and does not prevent writes; it actually helps ensure group write permissions apply. Option D is wrong because 'create mask = 0660' only affects the permissions of newly created files, not existing files; users cannot modify existing files due to guest mapping, not the mask.

137
MCQeasy

Which Apache module is used to rewrite URLs based on rules?

A.mod_rewrite
B.mod_proxy
C.mod_alias
D.mod_redirect
AnswerA

mod_rewrite is the module that provides a rule-based rewriting engine.

Why this answer

mod_rewrite is the correct Apache module for rewriting URLs based on rules. It uses a regular expression engine to match incoming request URIs against patterns defined in .htaccess or server configuration files, then transforms them according to specified substitution rules. This module is essential for creating clean URLs, redirecting traffic, and implementing URL-based access control.

Exam trap

The trap here is that candidates may confuse mod_alias's Redirect directive (which performs simple, static redirects) with the dynamic, rule-based rewriting capability of mod_rewrite, or incorrectly assume a module named 'mod_redirect' exists.

How to eliminate wrong answers

Option B (mod_proxy) is wrong because it is used for proxying requests to backend servers (e.g., reverse proxy, load balancing), not for rewriting URLs based on rules. Option C (mod_alias) is wrong because it maps URLs to filesystem paths or redirects requests using simple Alias or Redirect directives, but it lacks the regex-based rule engine and conditional logic of mod_rewrite. Option D (mod_redirect) is wrong because no such module exists in Apache; the Redirect directive is part of mod_alias, and the concept of URL rewriting is specifically handled by mod_rewrite.

138
MCQhard

A DNS server returns SERVFAIL for queries to a zone that is configured as a slave. The master server is reachable. What should the administrator check?

A.The serial number on the master is greater than on the slave.
B.The zone transfer is allowed from the slave.
C.The slave's allow-query includes the master.
D.The TSIG key is correct.
AnswerB

If the master does not allow-transfer from the slave IP, the slave cannot obtain the zone and returns SERVFAIL.

Why this answer

When a slave DNS server returns SERVFAIL for a zone it is configured to serve, but the master is reachable, the most common cause is that the master's zone transfer ACL does not include the slave's IP address. Without an explicit 'allow-transfer' directive (or equivalent) on the master permitting the slave, the master will refuse the zone transfer, leaving the slave with no valid zone data and thus returning SERVFAIL. This is a fundamental access control check in BIND and other DNS servers.

Exam trap

The trap here is that candidates often focus on serial numbers or query permissions, but the critical missing piece is the master's transfer authorization, which is a separate ACL from query access.

How to eliminate wrong answers

Option A is wrong because a higher serial number on the master is normal and necessary for the slave to detect a zone update; it does not cause SERVFAIL. Option C is wrong because 'allow-query' on the slave controls which clients can query the slave, not whether the master will transfer the zone to the slave. Option D is wrong because while an incorrect TSIG key can cause authentication failures, the question states the master is reachable, and the most direct and common cause for SERVFAIL in a slave zone is a missing or misconfigured 'allow-transfer' ACL on the master, not a key issue.

139
MCQmedium

A system administrator notices that clients on the internal network can resolve the company's web server's hostname (www.example.com) using the internal DNS server (192.168.1.10), but external clients are unable to resolve it. The company uses BIND9 on an Ubuntu server. Which of the following configuration changes should be made on the DNS server to allow external resolution?

A.Add a 'listen-on' statement for the external IP address.
B.Enable recursion by setting 'recursion yes'.
C.Set the 'allow-query' option to 'any' in the options block.
D.Add an A record for www.example.com in the reverse zone.
AnswerA

The server must listen on the external interface to receive queries from outside.

Why this answer

Option A is correct because the BIND9 DNS server is likely only listening on the internal IP address (192.168.1.10) by default, so external queries never reach the server. Adding a 'listen-on' statement for the external IP address (e.g., the public IP assigned to the server's external interface) allows BIND to accept and respond to DNS queries from external clients on that address, enabling external resolution of www.example.com.

Exam trap

The trap here is that candidates often confuse 'listen-on' with 'allow-query' or recursion settings, mistakenly thinking that enabling recursion or opening query permissions is sufficient, when the server must first be reachable on the external IP address to accept any queries at all.

How to eliminate wrong answers

Option B is wrong because enabling recursion ('recursion yes') is not the issue—recursion is typically used for resolving queries on behalf of clients, but external clients are likely performing iterative queries, and the problem is about the server not listening on the external interface, not about recursion policy. Option C is wrong because setting 'allow-query' to 'any' controls which clients are permitted to send queries to the server, but if the server is not listening on the external IP address, queries from external clients never reach the server to be allowed or denied. Option D is wrong because adding an A record for www.example.com in the reverse zone is incorrect—reverse zones map IP addresses to hostnames (PTR records), not hostnames to IP addresses; the A record should be in the forward zone, and the issue is about accessibility, not missing records.

140
Drag & Dropmedium

Order the steps to configure a Linux system as a DHCP client using dhclient.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

First configure the interface for DHCP, then run dhclient, check address, verify route, and test.

141
MCQmedium

A system administrator needs to ensure that a custom kernel module loads automatically at boot. The module is named 'my_driver' and is built for the current kernel. Which configuration file should be modified to ensure the module loads automatically?

A.Add the insmod command in /etc/rc.local
B.Add the module name to /etc/modules.conf
C.Add a configuration file in /etc/modules-load.d/
D.Add a configuration file in /etc/modprobe.d/
AnswerC

/etc/modules-load.d/ is the standard location for specifying modules to load at boot.

Why this answer

Option C is correct because systemd-based Linux distributions use /etc/modules-load.d/ to specify kernel modules that should be loaded automatically at boot. Placing a configuration file (e.g., my_driver.conf) containing the module name 'my_driver' in this directory instructs systemd-modules-load.service to load the module during early boot. This is the modern, distribution-agnostic method for ensuring a custom kernel module loads automatically.

Exam trap

The trap here is that candidates confuse /etc/modprobe.d/ (used for modprobe configuration) with /etc/modules-load.d/ (used for automatic loading), or they assume the legacy /etc/modules.conf is still valid on modern distributions.

How to eliminate wrong answers

Option A is wrong because /etc/rc.local is a legacy script that runs after most services have started, not during early boot when kernel modules are typically loaded; using insmod there may fail if dependencies are not yet met, and it is not the standard mechanism for automatic module loading. Option B is wrong because /etc/modules.conf is an obsolete configuration file used by the old modutils package on 2.4.x kernels; modern systems use /etc/modprobe.d/ for modprobe options and /etc/modules-load.d/ for module loading. Option D is wrong because /etc/modprobe.d/ is used to configure modprobe options (e.g., aliases, blacklists, parameters) but does not cause modules to load automatically at boot; it only affects how modules are loaded when explicitly requested.

142
MCQeasy

Which Postfix configuration parameter specifies the domain that is appended to unqualified email addresses?

A.myhostname
B.myorigin
C.mydomain
D.mydomainname
AnswerB

myorigin specifies the domain to append to unqualified addresses.

Why this answer

The `myorigin` parameter in Postfix controls the domain that is appended to locally-originated mail from unqualified addresses (e.g., 'user' becomes 'user@example.com'). By default, it uses the value of `myhostname`, but it is commonly set to `$mydomain` to append the domain rather than the full hostname. This ensures that outbound mail has a consistent and clean sender domain.

Exam trap

The trap here is that candidates confuse `myorigin` with `mydomain` or `myhostname`, assuming the domain appended comes from the server's hostname rather than the explicit parameter designed for address qualification.

How to eliminate wrong answers

Option A is wrong because `myhostname` specifies the fully qualified hostname of the mail server (e.g., mail.example.com), not the domain appended to unqualified addresses. Option C is wrong because `mydomain` defines the local domain (e.g., example.com) but is not the parameter that directly controls appending; it is often referenced by `myorigin` via `$mydomain`. Option D is wrong because `mydomainname` is not a valid Postfix configuration parameter; the correct parameter for the domain is `mydomain`.

143
MCQhard

An administrator observes that only one path is shown as active for mpathb. What is the most likely cause?

A.The find_multipaths setting is incorrect.
B.The SCSI devices are not properly connected.
C.The multipathd service is not running.
D.The blacklist rule excludes the other path.
AnswerD

All sd devices are blacklisted, so only one path (maybe not blacklisted due to something else) appears.

Why this answer

When only one path is active for a multipath device (mpathb), the most likely cause is that the other path is being excluded by a blacklist rule in the multipath configuration. The blacklist can filter out devices based on WWID, device name, or vendor/product, preventing them from being aggregated into the multipath map. This results in the path being visible to the system but not used by multipathd.

Exam trap

The trap here is that candidates often assume a missing path is due to hardware or service issues, but LPIC-2 tests the understanding that multipath configuration files (especially blacklist rules) are a common cause of path exclusion, even when all physical connections are intact.

How to eliminate wrong answers

Option A is wrong because the find_multipaths setting controls whether multipathd automatically creates maps only for devices with multiple paths; it does not cause a single active path when multiple paths exist. Option B is wrong because if SCSI devices were not properly connected, neither path would appear, or both would show as faulty, not just one active path. Option C is wrong because if the multipathd service were not running, no multipath devices would be created at all, and the administrator would not see mpathb with a single active path.

144
MCQeasy

After modifying smb.conf, which command should be used to verify the configuration syntax before restarting Samba?

A.net conf
B.testparm
C.smbpasswd
D.smbcontrol
AnswerB

testparm validates the smb.conf syntax.

Why this answer

The correct command is `testparm`, which is specifically designed to parse and validate the syntax of the Samba configuration file `smb.conf`. It checks for errors such as misspelled parameters, invalid values, or structural issues without requiring the Samba services to be restarted. This ensures that any syntax problems are caught before applying changes to the running Samba daemons (smbd, nmbd, winbindd).

Exam trap

The trap here is that candidates may confuse `testparm` with `smbcontrol reload-config`, thinking that reloading the configuration also validates syntax, but `smbcontrol` does not perform syntax checking and will silently apply a broken configuration if the daemon accepts it, potentially causing undefined behavior.

How to eliminate wrong answers

Option A is wrong because `net conf` is used to manage Samba configuration stored in a registry-like database (e.g., via `net conf setparm` or `net conf drop`), not to validate the syntax of a traditional `smb.conf` file. Option C is wrong because `smbpasswd` is used to manage Samba user passwords and the encrypted password database (smbpasswd file or tdbsam), not to verify configuration syntax. Option D is wrong because `smbcontrol` is used to send control messages (e.g., reload-config, shutdown) to running Samba daemons, not to perform static syntax checking of the configuration file.

145
Multi-Selectmedium

Which TWO options in dhcpd.conf are used to define the subnet and the address range for dynamic allocation? (Select two.)

Select 2 answers
A.option subnet-mask 255.255.255.0;
B.pool { ... }
C.range 192.168.1.10 192.168.1.100;
D.host fixed-address 192.168.1.200;
E.subnet 192.168.1.0 netmask 255.255.255.0 { ... }
AnswersC, E

Defines the dynamic address pool.

Why this answer

Option C is correct because the `range` directive in `dhcpd.conf` explicitly defines the pool of IP addresses available for dynamic (DHCP) allocation. Option E is correct because the `subnet` declaration specifies the network segment and netmask, creating the context in which the `range` statement must be nested to function. Together, they define both the subnet boundary and the dynamic address pool.

Exam trap

LPI often tests the distinction between the `subnet` declaration (which defines the network boundary) and the `option subnet-mask` statement (which is a client-facing parameter), leading candidates to incorrectly select the option as a definition of the subnet itself.

146
MCQeasy

To protect against SSH brute-force attacks, a system administrator installs fail2ban. Which configuration file should be modified to enable the SSH jail with default settings?

A./etc/fail2ban/fail2ban.conf
B./etc/ssh/sshd_config
C./etc/fail2ban/jail.local
D./etc/fail2ban/jail.conf
AnswerC

This file overrides settings in jail.conf; enabling the SSH jail here is the proper method.

Why this answer

Option B is correct because the local configuration file /etc/fail2ban/jail.local overrides defaults. Option A is wrong because jail.conf is the default and should not be edited directly; local changes go in .local. Option C is wrong because fail2ban.conf controls daemon behavior.

Option D is wrong because sshd_config is for SSH server.

147
MCQeasy

A system administrator wants to verify the integrity of a downloaded package using a GPG signature. Which command should be used after importing the distributor's public key?

A.gpg --encrypt package.tar.gz
B.gpg --verify package.tar.gz.asc package.tar.gz
C.gpg --decrypt package.tar.gz.asc
D.gpg --sign package.tar.gz
AnswerB

This verifies the detached signature against the file.

Why this answer

Option A is correct because 'gpg --verify' checks the signature against the public key. Option B is wrong because 'gpg --decrypt' decrypts, not verifies. Option C is wrong because 'gpg --sign' creates a signature.

Option D is wrong because 'gpg --encrypt' encrypts data.

148
Multi-Selecteasy

An administrator wants to enhance the security of a web server running Apache. Which TWO of the following actions are recommended best practices?

Select 2 answers
A.Enable the mod_info module to monitor server configuration.
B.Disable directory listing in the Apache configuration using Options -Indexes.
C.Enable .htaccess files to allow per-directory configuration changes.
D.Run the Apache worker processes as a non-root user such as www-data.
E.Enable the HTTP TRACE method for debugging purposes.
AnswersB, D

Disabling directory listing prevents attackers from browsing directory contents.

Why this answer

Option B is correct because disabling directory listing with `Options -Indexes` prevents Apache from generating a list of files in directories that lack an index file (e.g., index.html). This is a fundamental security hardening step that reduces information disclosure about the web server's file structure, which could be leveraged by an attacker to find sensitive files or configuration details.

Exam trap

The trap here is that candidates often confuse enabling `.htaccess` files (Option C) with a security best practice, when in fact it is a security anti-pattern that reduces performance and control, while the correct hardening step is to disable them and centralize configuration.

149
MCQeasy

Which legacy SMB protocol version should be disabled for security best practices on a modern Samba server?

A.SMB2_02
B.SMB3
C.SMB2
D.SMB1
AnswerD

SMB1 (CIFS) is insecure and should be disabled.

Why this answer

SMB1 (also known as CIFS) is a legacy protocol that lacks modern security features such as pre-authentication integrity, encryption, and secure dialect negotiation. It is notoriously vulnerable to attacks like EternalBlue and SMB relay, and disabling it is a fundamental security best practice on any modern Samba server. Samba allows disabling SMB1 via the 'server min protocol = SMB2' or 'ntlm auth = no' directives in smb.conf.

Exam trap

The trap here is that candidates may confuse 'legacy' with any older protocol version, such as SMB2_02 or SMB2, and fail to recognize that SMB1 is uniquely dangerous due to its lack of encryption and signing, while SMB2 and SMB3 are considered secure enough for modern use.

How to eliminate wrong answers

Option A is wrong because SMB2_02 is an early sub-version of SMB2 that, while older, is still part of the SMB2 family and does not carry the same severe security vulnerabilities as SMB1; disabling SMB1 is the priority, not SMB2_02. Option B is wrong because SMB3 (and its variants like SMB3.0, SMB3.1.1) is the most modern and secure SMB protocol, supporting encryption, signing, and secure dialect negotiation, and should be enabled, not disabled. Option C is wrong because SMB2 is a significant security improvement over SMB1, introducing features like message signing and credit-based flow control; while older than SMB3, it is not inherently insecure and is often kept as a fallback, whereas SMB1 is the legacy protocol that must be disabled.

150
MCQeasy

To ensure that OpenVPN clients authenticate the server, which configuration directive should be present on the client side?

A.tls-verify
B.tls-auth
C.ca
D.cert
AnswerC

ca points to the CA certificate file that verifies the server's certificate.

Why this answer

The 'ca' directive specifies the CA certificate used to verify the server's certificate. 'cert' and 'key' are for client authentication. 'tls-auth' is for additional HMAC signing.

Page 1

Page 2 of 7

Page 3

All pages