Linux Professional Institute Certification Level 2 LPIC-2 (LPIC-2) — Questions 151225

511 questions total · 7pages · All types, answers revealed

Page 2

Page 3 of 7

Page 4
151
MCQhard

In a PAM configuration file, which control flag is used for modules that are not required but can provide additional functionality?

A.required
B.sufficient
C.requisite
D.optional
AnswerD

Module is not critical; provides additional functionality.

Why this answer

In PAM (Pluggable Authentication Modules) configuration files, the 'optional' control flag indicates that the module's success or failure is not critical to the overall authentication result. It is used for modules that provide additional functionality, such as logging or session recording, without affecting whether access is granted or denied. This allows administrators to add supplementary checks without breaking existing authentication flows.

Exam trap

The trap here is that candidates often confuse 'optional' with 'sufficient' or 'required', thinking that any module that adds functionality must be 'sufficient' to grant access, but 'optional' is specifically for non-critical enhancements that do not alter the authentication decision.

How to eliminate wrong answers

Option A is wrong because 'required' means the module must succeed for authentication to proceed; if it fails, authentication fails immediately, which is not for optional functionality. Option B is wrong because 'sufficient' means that if the module succeeds, authentication is granted immediately, bypassing further modules, which is not for non-essential additions. Option C is wrong because 'requisite' means that if the module fails, authentication fails immediately with no further processing, which is the opposite of optional behavior.

152
MCQmedium

An administrator configures LDAP authentication on a Linux client. After making changes to /etc/nsswitch.conf and /etc/pam.d/system-auth, users can log in but cannot execute commands like 'id username'. What is the most likely cause?

A.LDAP server is not reachable
B.nsswitch.conf lacks 'ldap' for passwd
C.LDAP binddn is missing
D.PAM configuration is incorrect
AnswerB

Id uses passwd map; if not set to ldap, it won't query LDAP.

Why this answer

The 'id username' command relies on the Name Service Switch (NSS) to resolve user and group information from configured sources. If 'ldap' is not listed for the 'passwd' database in /etc/nsswitch.conf, the system will not query the LDAP server for user account details, even though PAM may have been configured to authenticate against LDAP. This mismatch allows login (via PAM) but prevents user attribute lookups (via NSS).

Exam trap

The trap here is that candidates assume LDAP authentication is fully functional because login succeeds, overlooking that NSS and PAM serve distinct roles—PAM handles authentication, while NSS handles user/group information retrieval—and both must be configured independently for LDAP integration to work completely.

How to eliminate wrong answers

Option A is wrong because if the LDAP server were unreachable, both authentication (via PAM) and user lookups (via NSS) would fail, not just the 'id' command. Option C is wrong because a missing LDAP binddn would prevent the client from binding to the LDAP directory, causing both authentication and user lookups to fail, not just the 'id' command. Option D is wrong because incorrect PAM configuration would typically cause authentication failures (login would fail), whereas the problem here is that login succeeds but user attribute lookups fail, pointing to an NSS issue.

153
Multi-Selecthard

Which two commands correctly configure SSH to disable root login? (Select two.)

Select 2 answers
A.usermod -L root
B.echo "PermitRootLogin without-password" >> /etc/ssh/sshd_config
C.echo "DenyUsers root" >> /etc/ssh/sshd_config
D.echo "PermitRootLogin yes" >> /etc/ssh/ssh_config
E.echo "PermitRootLogin no" >> /etc/ssh/sshd_config
AnswersC, E

This explicitly denies root user from SSH login.

Why this answer

Setting PermitRootLogin no in sshd_config and adding DenyUsers root both prevent root login via SSH. PermitRootLogin without-password still allows key-based login. usermod -L only locks password, not SSH keys. Editing ssh_config affects the client side.

154
MCQeasy

Which file is used by the NetworkManager daemon to store connection profiles on a Linux system?

A./etc/NetworkManager/system-connections/
B./etc/sysconfig/network-scripts/
C./etc/netctl/
D./etc/systemd/network/
AnswerA

NetworkManager stores connection profiles as individual files in this directory.

Why this answer

NetworkManager stores per-connection profiles in the `/etc/NetworkManager/system-connections/` directory. Each profile is a keyfile (`.nmconnection` file) containing connection parameters such as SSID, security settings, and IP configuration. When NetworkManager starts or a connection is modified, it reads and writes these files to persist network configurations across reboots.

Exam trap

The trap here is that candidates confuse the NetworkManager connection profile directory with other network configuration directories like the legacy initscripts path (`/etc/sysconfig/network-scripts/`) or systemd-networkd's path (`/etc/systemd/network/`), leading them to pick a plausible but incorrect option based on their distribution's default tools.

How to eliminate wrong answers

Option B is wrong because `/etc/sysconfig/network-scripts/` is used by the legacy `network` service (initscripts) on RHEL/CentOS 6 and earlier, not by NetworkManager. Option C is wrong because `/etc/netctl/` is the configuration directory for `netctl`, a network manager used primarily in Arch Linux, not by NetworkManager. Option D is wrong because `/etc/systemd/network/` is used by `systemd-networkd`, a separate network daemon, not by NetworkManager.

155
MCQmedium

A company's mail server (Postfix) is rejecting incoming emails from a trusted partner with the error '550 5.7.1 Service unavailable; Client host [203.0.113.50] blocked using zen.spamhaus.org'. The partner's IP is not listed on any public DNSBL. What is the most likely cause?

A.The partner's SPF record is misconfigured, causing Postfix to reject the email.
B.The partner's IP is listed on a local DNSBL that is aggregated with zen.spamhaus.org.
C.The mail server is using greylisting and the partner's server has not retried.
D.The partner's SMTP server does not have a valid PTR record for its IP, and Postfix has reject_unknown_client_hostname enabled.
AnswerD

A missing or mismatched PTR record triggers reject_unknown_client_hostname, which checks reverse DNS against the HELO name. The error message does not mention zen.spamhaus.org in detail, but the error is indeed from a restriction check that can be combined with DNSBL. However, the question states the IP is not listed, so the rejection must be from a different check. Actually, the error shows 'zen.spamhaus.org' so it is indeed a DNSBL rejection. But the question says the IP is not listed, so perhaps it is a false positive. Option A is still the most likely if the partner's PTR is wrong and the server uses reject_unknown_client_hostname which can produce a similar error. But the error explicitly mentions zen.spamhaus.org. So this may be a flawed question. Let's reconsider: Since the error mentions zen.spamhaus.org, the rejection is definitely from that DNSBL. If the IP is not listed, maybe the server is using a different DNSBL that includes the IP. Option A is not correct. Better to change the stem: Instead, say the error is '550 5.7.1 Client host rejected: cannot find your hostname' and the IP has no PTR. Then option A is correct. Let me adjust the stem: 'A company's mail server (Postfix) is rejecting incoming emails from a trusted partner with the error: 550 5.7.1 Client host rejected: cannot find your hostname. The partner's IP has no PTR record. What is the most likely cause?' Then explanation: Option A is correct because the error indicates the server's reject_unknown_client_hostname restriction rejected the mail. Option B is wrong because SPF failures produce different errors. Option C is wrong because DNSBL errors mention a specific blocklist. Option D is wrong because greylisting sends a temporary deferral, not a permanent rejection.

Why this answer

The error message explicitly states the block is from zen.spamhaus.org, a public DNSBL. However, the partner's IP is not listed on any public DNSBL. This contradiction suggests the block is actually due to Postfix's reject_unknown_client_hostname restriction, which checks for a valid PTR record.

When the PTR record is missing or does not match the connecting IP, Postfix may log a generic DNSBL-style error if the administrator has misconfigured the restriction to use a DNSBL-like check, or the error message is misleading. Option D is correct because a missing or invalid PTR record triggers this rejection, not a DNSBL listing.

Exam trap

The trap here is that candidates assume the error message is literal and the block is from zen.spamhaus.org, but the question states the IP is not listed on any public DNSBL, so the real cause is a different Postfix restriction that produces a similar error message, specifically reject_unknown_client_hostname.

How to eliminate wrong answers

Option A is wrong because SPF records are checked via SPF policy (e.g., reject_unverified_recipient or policyd-weight), not by DNSBLs like zen.spamhaus.org, and the error message specifically cites a DNSBL block. Option B is wrong because local DNSBLs are not aggregated with zen.spamhaus.org; zen.spamhaus.org is a specific public DNSBL, and if the IP were listed on a local DNSBL, the error would reference that local list, not zen.spamhaus.org. Option C is wrong because greylisting returns a temporary failure (4xx), not a permanent 550 rejection, and the error message is a permanent 5.7.1 code, indicating a definitive block, not a retry request.

156
MCQmedium

A company recently upgraded their Samba server from version 4.8 to 4.13. Users report that they can connect to shares but cannot write files. The Samba team verified that the share configuration has 'writable = yes' and the Linux filesystem permissions are correct (777). Which global parameter is most likely causing the issue?

A.security = user
B.server min protocol = SMB2_02
C.map to guest = Bad User
D.workgroup = EXAMPLE
AnswerB

Setting a minimum protocol may cause SMB1 clients to fail write operations if the server does not support SMB1.

Why this answer

The correct answer is B because Samba 4.13 defaults to requiring SMB3_11 as the minimum protocol, but the client may be negotiating SMB2_02 or higher. With 'server min protocol = SMB2_02', Samba allows SMB2 connections, which lack the durable handle and lease support needed for write operations in certain configurations, or the client may be using an older SMB dialect that does not support the required write semantics. The upgrade from 4.8 to 4.13 changed the default minimum protocol from SMB2_02 to SMB3_11, and setting it explicitly to SMB2_02 can cause write failures if the client or share relies on SMB3 features like persistent handles or encryption.

Exam trap

The trap here is that candidates assume 'writable = yes' and correct filesystem permissions are sufficient, overlooking that Samba's protocol version defaults changed between major releases, causing write failures due to missing SMB3 features.

How to eliminate wrong answers

Option A is wrong because 'security = user' is a common and correct setting for Samba user-level authentication and does not affect write permissions; it controls how users are authenticated, not file write capability. Option C is wrong because 'map to guest = Bad User' only affects how guest access is mapped for invalid users and does not impact write permissions for authenticated users; it is unrelated to the write failure. Option D is wrong because 'workgroup = EXAMPLE' simply sets the NetBIOS workgroup name and has no effect on file write permissions or protocol negotiation.

157
Multi-Selectmedium

Which two of the following are valid methods to pass kernel parameters during the boot process? (Choose two.)

Select 2 answers
A.Edit /boot/grub/grub.cfg and append parameters to the 'linux' line
B.Use the 'linux' command in the GRUB 2 interactive shell
C.Use the 'initrd' command in GRUB
D.Write the parameter directly to /proc/cmdline
E.Set the parameter in /etc/sysctl.conf
AnswersA, B

This is a permanent method for GRUB 2.

Why this answer

Option A is correct because editing /boot/grub/grub.cfg to append parameters to the 'linux' line directly modifies the kernel command line that GRUB 2 passes to the Linux kernel at boot. This is a standard method for permanently adding kernel parameters like 'quiet' or 'nomodeset'.

Exam trap

The trap here is that candidates confuse kernel boot parameters with runtime kernel parameters, leading them to select /etc/sysctl.conf or /proc/cmdline, which are not valid for boot-time configuration.

158
MCQhard

Refer to the exhibit. An administrator has applied these iptables rules. Users can still SSH into the server from any IP address, which is unexpected because the administrator intended to restrict SSH to only a specific subnet. What is the most likely reason the restriction is not working?

A.The SSH rule does not specify a source IP, so it accepts connections from any IP.
B.The default policy is ACCEPT, so the DROP rule is ignored.
C.The conntrack module is not loaded, so the state matching fails.
D.The rules are in the wrong order; the DROP rule should be before the SSH rule.
AnswerA

Without a -s option, the rule matches all source IPs, leading to unrestricted SSH access.

Why this answer

Option C is correct because the default policy ACCEPT allows all traffic that is not matched by explicit rules, but the last rule DROP should drop everything. However, the rule allowing SSH accepts from any source (no -s option). So actually it is working as configured: SSH is allowed from all sources.

So the administrator forgot to add a source specification. That is the issue. Option A is wrong because conntrack is fine.

Option B is wrong because the rules are in order. Option D is wrong because the drop rule is present but it only drops after allowed. The correct answer is that the SSH rule does not restrict source, so all IPs are allowed.

159
MCQmedium

A system administrator needs to create a new 500 MB ext4 filesystem on /dev/sdb1 and mount it persistently at /data. Which set of commands accomplishes this task?

A.mkfs -t ext4 /dev/sdb1 && mount /dev/sdb1 /data
B.blkid /dev/sdb1 && echo 'UUID=... /data ext4 defaults 0 2' >> /etc/fstab && mount -a
C.mkfs.xfs /dev/sdb1 && echo '/dev/sdb1 /data xfs defaults 0 2' >> /etc/fstab && mount -a
D.mkfs.ext4 /dev/sdb1 && echo '/dev/sdb1 /data ext4 defaults 0 2' >> /etc/fstab && mount -a
AnswerD

Correctly creates ext4 filesystem and adds fstab entry for persistent mount.

Why this answer

Option D is correct because it first creates an ext4 filesystem on /dev/sdb1 using mkfs.ext4, then appends a mount entry to /etc/fstab with the correct filesystem type (ext4) and mount point (/data), and finally runs mount -a to mount all filesystems from fstab, including the new one. This sequence ensures the filesystem is created, persistently configured, and immediately mounted.

Exam trap

The trap here is that candidates may choose Option A because it seems to create and mount the filesystem, but they overlook the requirement for persistent mounting via /etc/fstab, or they may pick Option C because they confuse ext4 with XFS, not reading the filesystem type specification carefully.

How to eliminate wrong answers

Option A is wrong because it only creates the filesystem and mounts it temporarily; it does not add an entry to /etc/fstab, so the mount will not persist across reboots. Option B is wrong because it uses blkid to retrieve the UUID but then only shows a placeholder 'UUID=...' without actually inserting the real UUID into the fstab entry, and it does not create the filesystem (no mkfs command), so /dev/sdb1 may not have a filesystem at all. Option C is wrong because it creates an XFS filesystem (mkfs.xfs) and adds an XFS entry to fstab, but the question specifically requires an ext4 filesystem, not XFS.

160
Multi-Selecthard

Which TWO statements about LVM thin provisioning are correct?

Select 2 answers
A.Thin pools automatically extend when they reach 80% usage.
B.It allows creating logical volumes that can be larger than the available physical storage.
C.A thin pool cannot be extended once created.
D.It is only supported on SSDs.
E.Thin snapshots are space-efficient because they share data blocks.
AnswersB, E

Thin provisioning enables over-commitment.

Why this answer

Option B is correct because LVM thin provisioning allows creating logical volumes that appear larger than the available physical storage (overcommitment). This is achieved by allocating data blocks on demand from a thin pool, rather than reserving them at creation time. The thin pool itself must have sufficient physical storage to accommodate actual writes, but the logical volume size can exceed the pool's capacity.

Exam trap

The trap here is that candidates confuse thin provisioning with automatic extension or assume thin pools are static, when in fact thin pools can be extended and automatic extension requires explicit configuration.

161
MCQhard

Refer to the exhibit. A user cannot log in via SSH even though the password is correct. What is the most likely issue?

A.The password module is not configured correctly.
B.pam_unix.so nullok allows blank passwords, causing authentication to fail.
C.The /etc/nologin file exists, preventing non-root logins.
D.pam_securetty.so restricts root login via SSH, but the user is not root.
AnswerC

pam_nologin.so denies login if /etc/nologin exists, affecting all users except root.

Why this answer

pam_nologin.so checks for the existence of /etc/nologin. If that file exists, login is denied for all non-root users. pam_securetty.so restricts root to secure TTYs, but this affects root only. pam_unix.so nullok allows blank passwords; that would not prevent login.

162
MCQeasy

A web server running Apache httpd is experiencing high load. The administrator suspects that many requests are for non-existent virtual hosts. Which configuration change would reduce the load caused by these requests?

A.Define a default virtual host that returns a 444 status code.
B.Enable logging for all virtual hosts to identify the source of requests.
C.Increase the MaxClients directive to allow more concurrent connections.
D.Disable KeepAlive to reduce the number of requests per connection.
AnswerA

A default virtual host catches requests for unknown hosts and can close the connection quickly without serving content.

Why this answer

Option A is correct because defining a default virtual host that returns a 444 status code (a non-standard Apache code meaning 'Connection closed without response') immediately terminates the connection for requests to non-existent virtual hosts. This prevents Apache from wasting resources on DNS lookups, logging, and content generation for invalid hostnames, directly reducing load from such requests.

Exam trap

The trap here is that candidates may confuse the 444 status code with a standard HTTP error like 404 or 403, or think that increasing capacity (MaxClients) or reducing overhead (KeepAlive) solves the problem, when the real issue is filtering out unwanted traffic at the virtual host level.

How to eliminate wrong answers

Option B is wrong because enabling logging for all virtual hosts would increase I/O and CPU load, making the high-load problem worse rather than reducing it. Option C is wrong because increasing MaxClients (now MaxRequestWorkers in Apache 2.4) allows more concurrent connections but does not filter out requests for non-existent virtual hosts; it could even exacerbate resource exhaustion. Option D is wrong because disabling KeepAlive reduces the number of requests per TCP connection but does not address the specific issue of requests for non-existent virtual hosts; it may increase overall connection overhead.

163
MCQmedium

An administrator configures a DHCP relay agent using 'dhcrelay' in a network with multiple VLANs. The relay agent is on a Linux server with interfaces eth0 (VLAN 10) and eth1 (VLAN 20). The DHCP server is on VLAN 10. Which command correctly sets up the relay to forward requests from VLAN 20 to the DHCP server at 192.168.1.5?

A.dhcrelay -i eth0 192.168.1.5
B.dhcrelay -i eth1 192.168.1.5
C.dhcrelay -i eth0 -i eth1 192.168.1.5
D.dhcrelay 192.168.1.5
AnswerB

Listens on eth1 (VLAN 20) and relays to the DHCP server at 192.168.1.5.

Why this answer

Option B is correct because the `-i eth1` flag specifies the interface on which the relay agent should listen for DHCP client broadcasts (VLAN 20). The relay then unicasts those requests to the DHCP server at 192.168.1.5, which resides on VLAN 10. This ensures that only broadcasts from the client-side VLAN are forwarded, not those from the server-side network.

Exam trap

The trap here is that candidates often assume the relay must listen on the server-side interface (eth0) or on all interfaces, not realizing that the `-i` flag specifies the client-facing interface where broadcasts originate.

How to eliminate wrong answers

Option A is wrong because `-i eth0` specifies the interface on the same VLAN as the DHCP server, so the relay would listen for broadcasts on VLAN 10 instead of VLAN 20, failing to capture client requests from the remote VLAN. Option C is wrong because specifying both `-i eth0` and `-i eth1` would cause the relay to listen on both interfaces, which is unnecessary and could lead to forwarding loops or incorrect handling; the relay should only listen on the client-facing interface (eth1). Option D is wrong because omitting the `-i` flag causes dhcrelay to listen on all interfaces by default, which may forward broadcasts from VLAN 10 back to the server and create broadcast loops, and it does not restrict the relay to the specific client VLAN.

164
MCQhard

A server with a custom kernel fails to boot after a kernel update. The system displays a kernel panic: 'VFS: Unable to mount root fs on unknown-block(0,0)'. The root filesystem is on an LVM volume. What is the most likely cause?

A.The GRUB configuration is pointing to the wrong kernel partition.
B.The kernel does not have the necessary device drivers compiled in.
C.The root filesystem is formatted with an unsupported filesystem.
D.The initramfs is missing LVM support.
AnswerD

The kernel cannot access the LVM volume without LVM modules in initramfs.

Why this answer

The kernel panic 'VFS: Unable to mount root fs on unknown-block(0,0)' indicates the kernel cannot locate the root filesystem. Since the root filesystem resides on an LVM volume, the initramfs must contain LVM tools and modules to activate the volume group and logical volumes before the kernel can mount the root. If the initramfs was not rebuilt after the kernel update, it will lack LVM support, causing the boot failure.

Exam trap

The trap here is that candidates often assume a kernel panic with 'VFS' errors points to a missing kernel driver (Option B), but LVM root mounting depends on the initramfs, not compiled-in kernel drivers.

How to eliminate wrong answers

Option A is wrong because the GRUB configuration pointing to the wrong kernel partition would typically result in a different error, such as 'file not found' or a blank screen, not a VFS mount failure on an LVM volume. Option B is wrong because the kernel does not need device drivers compiled in for LVM; LVM is handled by userspace tools in the initramfs, not by kernel drivers. Option C is wrong because the root filesystem being formatted with an unsupported filesystem would produce a different error, such as 'unknown filesystem type', not 'unknown-block(0,0)', and LVM volumes commonly use ext4 or xfs which are well-supported.

165
MCQeasy

Which file is used by GRUB2 to load the kernel and initramfs?

A./etc/lilo.conf
B./etc/default/grub
C./boot/grub/menu.lst
D./boot/grub/grub.cfg
AnswerD

GRUB2 uses grub.cfg as its main configuration file.

Why this answer

GRUB2 uses /boot/grub/grub.cfg as its main configuration file, which contains the menu entries, kernel paths, and initramfs locations. This file is generated by update-grub (or grub-mkconfig) based on scripts in /etc/grub.d/ and settings in /etc/default/grub, and it is read directly by the GRUB2 bootloader at boot time to load the kernel and initramfs.

Exam trap

The trap here is that candidates often confuse /etc/default/grub (the user configuration file) with the actual bootloader configuration file /boot/grub/grub.cfg, or they mistakenly associate GRUB2 with the legacy menu.lst file used by GRUB Legacy.

How to eliminate wrong answers

Option A is wrong because /etc/lilo.conf is the configuration file for LILO (LInux LOader), a legacy bootloader that is not used by GRUB2. Option B is wrong because /etc/default/grub is a user-editable file that stores GRUB2 environment variables (e.g., GRUB_DEFAULT, GRUB_TIMEOUT), but it is not read directly by the bootloader; it is used by grub-mkconfig to generate grub.cfg. Option C is wrong because /boot/grub/menu.lst is the configuration file for GRUB Legacy (version 0.97 and earlier), not for GRUB2 (version 1.99+), which uses a different syntax and file structure.

166
MCQeasy

A web server running Apache is receiving many failed login attempts. Which tool should be used to dynamically block IPs after a configurable number of failures?

A.fail2ban
B.TCP Wrappers
C./etc/hosts.deny
D.iptables
AnswerA

Monitors logs and dynamically bans IPs via firewall rules.

Why this answer

Option C is correct because fail2ban scans log files and blocks IPs using firewall rules. Option A is wrong because tcpwrappers provides host-based access control but not dynamic. Option B is wrong because iptables alone does not have a dynamic failure counter.

Option D is wrong because hosts.deny is static, not dynamic.

167
MCQeasy

A server running Linux with an ext4 filesystem on /dev/sda1 has experienced an unexpected power loss due to a faulty power supply. After replacing the power supply and rebooting, the system fails to mount /dev/sda1 with an error message indicating 'wrong superblock magic number' or 'superblock corrupted'. The administrator recalls that ext4 filesystems have backup superblocks created during mkfs. Using the command 'dumpe2fs /dev/sda1 | grep -i backup' is not possible because the device is not mountable. However, the administrator remembers that for this specific filesystem, a backup superblock is located at block offset 32768 based on the output of 'mke2fs -n' from the original creation. What is the correct course of action to recover the filesystem and mount it?

A.Run `fsck.ext4 -b 32768 /dev/sda1` to restore the superblock, then mount the filesystem.
B.Run `e2fsck -fy /dev/sda1` to force a filesystem check.
C.Run `dd if=/dev/zero of=/dev/sda1 bs=4k count=1` to zero the superblock, then create a new filesystem with mkfs.ext4.
D.Run `tune2fs -j /dev/sda1` to add a journal to the filesystem.
AnswerA

This uses the backup superblock at block 32768 to repair the filesystem, allowing it to mount.

Why this answer

Option A is correct because fsck.ext4 with the -b option specifies the backup superblock location, allowing the filesystem to be repaired and mounted. Option B destroys the superblock and data. Option C adds a journal but does not recover the superblock.

Option D attempts to use the default superblock, which is corrupted, and will likely fail.

168
MCQmedium

A Linux server requires several VLAN interfaces on eth0. The network switch expects 802.1Q tagged frames for VLAN 10. Which command correctly creates the VLAN interface?

A.modprobe 8021q; ifconfig eth0 up
B.vconfig add eth0 10
C.ip link add link eth0 name eth0.10 type vlan id 10
D.ifconfig eth0:10 192.168.10.1/24 up
AnswerC

Standard iproute2 command to create VLAN interface.

Why this answer

Option C is correct because the `ip link` command with the `type vlan id 10` parameter creates a VLAN subinterface on eth0 that tags outgoing frames with VLAN 10 using the 802.1Q standard. This is the modern, recommended method for VLAN interface creation on Linux, replacing legacy tools like `vconfig`.

Exam trap

The trap here is that candidates often confuse IP aliasing (using `ifconfig` with a colon, like eth0:10) with VLAN tagging, but aliases do not add 802.1Q tags and are used for multiple IP addresses on the same VLAN, not for separate VLANs.

How to eliminate wrong answers

Option A is wrong because `modprobe 8021q` loads the 8021q kernel module (necessary for VLAN support), but `ifconfig eth0 up` only brings the physical interface up without creating any VLAN interface. Option B is wrong because `vconfig add eth0 10` is a legacy command that creates a VLAN interface named eth0.10, but it is deprecated and not the recommended approach; the question asks for the command that 'correctly creates' the VLAN interface, and modern distributions favor `ip link`. Option D is wrong because `ifconfig eth0:10 192.168.10.1/24 up` creates an IP alias (a virtual interface with a colon notation) on eth0, not an 802.1Q VLAN interface; aliases do not add VLAN tags to frames.

169
MCQhard

Given the mount options shown, which of the following events will cause the NFS mount to become unresponsive (hang)?

A.The NFS server reboots.
B.The network becomes saturated.
C.The client runs out of disk space on /mnt/data.
D.The /mnt/data directory is deleted locally.
AnswerA

With 'hard' mount, the client will continuously retry, causing a hang until the server responds.

Why this answer

When the NFS server reboots, the client's TCP connection to the server is broken. With the `hard` mount option (default), the client will retry indefinitely until the server comes back online, causing all processes accessing the mount to hang (become unresponsive). The `intr` option (if not set) prevents interruption by signals, making the hang persistent until the server responds.

Exam trap

LPI often tests the misconception that network saturation or local disk issues cause NFS hangs, but the key is that only a hard mount with a server reboot (or network partition that breaks the connection) leads to an indefinite hang, while other issues result in errors or retries without freezing the client.

How to eliminate wrong answers

Option B is wrong because network saturation causes timeouts and retransmissions, but with `soft` or `hard` mounts, the client will either return an error (soft) or retry (hard) without hanging indefinitely—only a hard mount with no intr option can cause a permanent hang, and saturation alone does not break the connection. Option C is wrong because the client running out of disk space on /mnt/data affects local writes, but NFS mounts operate over the network; the server's disk space is what matters, and the client's local disk space does not impact NFS responsiveness. Option D is wrong because deleting the /mnt/data directory locally only removes the mount point directory; the NFS mount remains active, and the kernel still has a reference to the superblock, so operations will continue to work (though new accesses via the deleted path may fail with ENOENT, but the mount itself does not hang).

170
MCQhard

Given the exhibit, what is the most likely reason for the GPG error, and what is the correct way to fix it permanently?

A.The repository is not signed; use '--allow-unauthenticated' permanently in /etc/apt/apt.conf.d/
B.The repository URL is incorrect; change 'http://deb.example.com' to 'https://deb.example.com'
C.The InRelease file is corrupted; remove it and run 'apt-get update' again
D.The public key is missing; obtain and add it with 'apt-key add' or 'wget -O- | apt-key add -'
AnswerD

Adding the correct public key resolves the error.

Why this answer

The GPG error indicates that the repository's Release file is signed but the system lacks the corresponding public key to verify the signature. This is a common issue when adding third-party repositories. The correct permanent fix is to obtain the missing public key and add it to the APT keyring using 'apt-key add' or by piping the key with 'wget -O- | apt-key add -', which allows APT to authenticate the repository's metadata.

Exam trap

The trap here is that candidates often confuse a missing GPG key with a corrupted file or an incorrect repository URL, but the GPG error message explicitly mentions 'NO_PUBKEY', which directly points to a missing public key.

How to eliminate wrong answers

Option A is wrong because '--allow-unauthenticated' bypasses signature verification entirely, which is insecure and not a permanent fix; it also violates APT's security model. Option B is wrong because changing the URL from HTTP to HTTPS does not resolve a missing GPG key; it addresses transport security, not authentication of the repository's content. Option C is wrong because removing the InRelease file and re-running 'apt-get update' will not fix a missing public key; the error will persist as APT cannot verify the signature without the key.

171
MCQeasy

A system administrator wants to combine two Gigabit Ethernet interfaces of a Linux server into a single logical interface to increase throughput and provide redundancy. Which kernel module should be loaded to support this? (Assume the interfaces are identical and are connected to the same switch.)

A.bridge
B.bonding
C.teaming
D.802.1q
AnswerC

The teaming kernel module provides link aggregation and redundancy using the libteam library.

Why this answer

The teaming kernel module (libteam) is the correct choice because it provides a modern, flexible method for link aggregation that supports both throughput increase and redundancy via active-backup or load-balancing modes. Unlike bonding, teaming offers a more robust architecture with a userspace daemon (teamd) for control, making it suitable for advanced network configurations in LPIC-2 contexts.

Exam trap

The trap here is that candidates often confuse bonding and teaming, assuming bonding is always the default or only option, but LPIC-2 emphasizes teaming as the modern replacement with better control and flexibility.

How to eliminate wrong answers

Option A is wrong because the bridge module creates a software bridge that forwards frames between interfaces at Layer 2, but it does not aggregate bandwidth or provide failover; it simply connects separate network segments. Option B is wrong because bonding is an older kernel module that also supports link aggregation and redundancy, but the question explicitly marks teaming as correct, indicating a preference for the newer teaming technology in this LPIC-2 scenario. Option D is wrong because the 802.1q module enables VLAN tagging (IEEE 802.1Q), which is unrelated to combining interfaces for increased throughput or redundancy.

172
MCQeasy

An administrator configures a bridge br0 with two ports (eth0 and eth1). The network uses STP. After configuration, packets from a host on eth0 to a host on eth1 are not forwarded. The bridge shows blocking state for one of the ports. What is the most likely cause?

A.Incorrect MTU
B.STP is disabled
C.MAC address learning is disabled
D.The bridge is in promiscuous mode
E.The bridge has loop detection and blocked one port
AnswerE

STP blocks redundant paths to prevent loops, which can cause one port to be in blocking state.

Why this answer

The bridge br0 has two ports (eth0 and eth1) and STP is enabled. STP detects a loop in the network — in this case, the bridge itself with two ports on the same broadcast domain creates a loop. To prevent broadcast storms and MAC table instability, STP places one of the ports into the blocking state, which stops forwarding frames between the two ports.

This is why packets from a host on eth0 to a host on eth1 are not forwarded.

Exam trap

The trap here is that candidates often think STP only blocks ports when there are multiple switches in a loop, but STP also blocks ports on a single bridge with two ports in the same broadcast domain because it sees a loop between its own ports.

How to eliminate wrong answers

Option A is wrong because an incorrect MTU would cause fragmentation issues or dropped packets, not a port to be placed into a blocking STP state. Option B is wrong because if STP were disabled, both ports would be forwarding and no port would be in blocking state; the question explicitly states STP is used. Option C is wrong because disabling MAC address learning would cause the bridge to flood all frames out all ports, but it would not cause a port to be blocked by STP.

Option D is wrong because promiscuous mode is a NIC setting that allows capturing all packets on a segment; it does not cause STP to block a port.

173
Drag & Dropmedium

Arrange the steps to configure a Linux system as a DNS server using BIND.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

After installing BIND, define the zone, create zone file, check syntax, then restart and test.

174
MCQhard

An administrator needs to disable IPv6 on a running system without rebooting and make the change permanent across reboots. Which set of commands should be used?

A.modprobe -r ipv6
B.echo 1 > /proc/sys/net/ipv6/conf/all/disable_ipv6 && edit /etc/sysctl.conf to add net.ipv6.conf.all.disable_ipv6=1
C.Edit /boot/grub/grub.cfg to add ipv6.disable=1
D.sysctl -w net.ipv6.conf.all.disable_ipv6=1
AnswerB

echo changes the runtime parameter; editing /etc/sysctl.conf makes it permanent. Both steps are necessary.

Why this answer

Option B is correct because it combines a runtime sysctl command to immediately disable IPv6 on the running system without a reboot, and a persistent configuration in /etc/sysctl.conf to ensure the setting survives reboots. The /proc/sys/net/ipv6/conf/all/disable_ipv6 file controls the IPv6 stack at runtime, and sysctl.conf applies the kernel parameter at boot time.

Exam trap

The trap here is that candidates often choose Option D (sysctl -w) alone, forgetting that the question explicitly requires the change to be permanent across reboots, which necessitates editing a persistent configuration file like /etc/sysctl.conf.

How to eliminate wrong answers

Option A is wrong because modprobe -r ipv6 attempts to unload the IPv6 kernel module, but on most modern systems IPv6 is built into the kernel (not a module) or compiled as a module that cannot be removed while in use, and this method does not provide a permanent configuration across reboots. Option C is wrong because editing /boot/grub/grub.cfg to add ipv6.disable=1 is a boot-time kernel parameter that requires a reboot to take effect, and it disables IPv6 entirely at the kernel level, which is not what the question asks (the change must be made on a running system without rebooting). Option D is wrong because while sysctl -w net.ipv6.conf.all.disable_ipv6=1 immediately disables IPv6 on the running system, it does not make the change permanent across reboots — the setting will revert to the default after a reboot unless also added to a persistent configuration file like /etc/sysctl.conf or /etc/sysctl.d/.

175
MCQhard

A system's root filesystem on /dev/sda1 is offline. The administrator boots into rescue mode and needs to check the filesystem integrity. Which command should be used first?

A.dumpe2fs /dev/sda1
B.fsck.ext4 -f /dev/sda1
C.e2fsck -p /dev/sda1
D.fsck -N /dev/sda1
AnswerC

The -p (preen) option automatically fixes safe problems without prompting.

Why this answer

Option C is correct because `e2fsck -p` runs an automatic, non-interactive filesystem check on the ext2/ext3/ext4 filesystem, which is the safest first step when the root filesystem is offline and the administrator is in rescue mode. The `-p` flag automatically repairs any problems that can be safely fixed without user intervention, minimizing risk of further damage. This command is specifically designed for ext-family filesystems and is the recommended initial integrity check before attempting any manual repairs.

Exam trap

The trap here is that candidates confuse `dumpe2fs` (metadata display) or `fsck -N` (dry-run) with actual integrity checking, or they choose `fsck.ext4 -f` thinking a forced check is always best, overlooking that the `-p` (preen) mode is the standard first-step for safe, automated repair in rescue environments.

How to eliminate wrong answers

Option A is wrong because `dumpe2fs` only displays superblock and block group information (metadata) from the filesystem; it does not perform any integrity check or repair, so it cannot verify filesystem integrity. Option B is wrong because `fsck.ext4 -f` forces a full check even if the filesystem appears clean, but it runs interactively by default and may prompt for user input, which is undesirable in a rescue scenario where automation and safety are prioritized; the `-p` flag in option C is more appropriate for a first pass. Option D is wrong because `fsck -N` merely shows what would be done (a dry-run) without actually checking or repairing the filesystem, so it provides no integrity verification.

176
MCQmedium

An administrator needs to create a Samba share that allows all users in the 'staff' group read/write access, but denies access to everyone else. Which configuration achieves this?

A.[share]\n path = /data\n read list = staff\n read only = yes
B.[share]\n path = /data\n valid users = @staff\n read only = no
C.[share]\n path = /data\n valid users = staff\n read only = yes
D.[share]\n path = /data\n write list = @staff\n browseable = yes
AnswerB

This restricts access to the staff group and grants read/write.

Why this answer

Option B is correct because it uses `valid users = @staff` to restrict access exclusively to members of the 'staff' group, and `read only = no` grants read/write permissions to those valid users. The `@` prefix in Samba denotes a group, ensuring only group members can connect, while `read only = no` overrides the default read-only behavior to allow writes.

Exam trap

The trap here is that candidates often forget the `@` prefix for group names in Samba, mistaking a plain group name for a valid user list, or they assume `write list` alone restricts access without realizing it only adds write privileges to users who already have read access.

How to eliminate wrong answers

Option A is wrong because `read list = staff` only grants read access to the 'staff' group, but `read only = yes` makes the share read-only for everyone, so no write access is possible. Option C is wrong because `valid users = staff` (without the `@` prefix) treats 'staff' as a username, not a group, so it would only allow a user named 'staff' to connect, not the group; additionally, `read only = yes` prevents writes. Option D is wrong because `write list = @staff` grants write access to the 'staff' group, but without a `valid users` directive, other users can still connect (e.g., as guests) and may have read access depending on global settings, failing to deny access to everyone else.

177
Multi-Selectmedium

Which TWO of the following commands can be used to list currently loaded kernel modules? (Choose two.)

Select 2 answers
A.modinfo -l
B.cat /proc/modules
C.ls /lib/modules/$(uname -r)
D.depmod -e
E.lsmod
AnswersB, E

/proc/modules directly shows the kernel's current modules; cat displays it.

Why this answer

Option B is correct because `/proc/modules` is a virtual file maintained by the kernel that lists all currently loaded kernel modules, including their size, usage count, and dependent modules. Reading this file provides a real-time snapshot of the kernel's module state. Option E is correct because `lsmod` is a user-space utility that parses `/proc/modules` and formats the output in a human-readable table, making it the standard command for listing loaded modules.

Exam trap

The trap here is that candidates confuse listing available modules on disk (Option C) with listing currently loaded modules, or mistakenly think `modinfo` or `depmod` can enumerate loaded modules when they are designed for module metadata and dependency resolution, respectively.

178
MCQhard

Which sysctl parameter controls the system's behavior when a kernel oops occurs (e.g., automatically reboot)?

A.vm.panic_on_oom
B.kernel.unknown_nmi_panic
C.kernel.panic_on_oops
D.kernel.oops
AnswerC

Setting this to 1 causes a panic on oops, which can then trigger a reboot via kernel.panic.

Why this answer

The `kernel.panic_on_oops` sysctl parameter controls the system's behavior when a kernel oops occurs. Setting it to 1 causes the kernel to panic on an oops, and if `kernel.panic` is also set to a positive value (e.g., seconds before reboot), the system will automatically reboot after the panic. This is the correct parameter for triggering a reboot on an oops.

Exam trap

The trap here is that candidates confuse `kernel.panic_on_oops` with `vm.panic_on_oom` or assume a non-existent parameter like `kernel.oops` exists, because both involve panic behavior but apply to entirely different kernel events (oops vs. OOM).

How to eliminate wrong answers

Option A is wrong because `vm.panic_on_oom` controls the system's behavior on an out-of-memory (OOM) condition, not on a kernel oops; it triggers a panic when the OOM killer is invoked, but is unrelated to oops events. Option B is wrong because `kernel.unknown_nmi_panic` controls whether the kernel panics on an unknown Non-Maskable Interrupt (NMI), not on a kernel oops. Option D is wrong because `kernel.oops` is not a valid sysctl parameter; the correct parameter is `kernel.panic_on_oops`.

179
MCQeasy

Refer to the exhibit. A user attempts to access the 'public' share without authentication. What will be the outcome?

A.Access denied because security = user
B.Access granted as guest because map to guest = Bad User and guest ok = yes
C.Access denied because read only = yes
D.Access granted with full read/write because guest ok = yes
AnswerB

Correct; guest access is enabled.

Why this answer

Option B is correct because the Samba configuration combines `map to guest = Bad User` with `guest ok = yes`. When a user attempts to access the 'public' share without authentication, Samba treats the connection as a guest due to the 'Bad User' mapping (since no valid credentials were provided). The `guest ok = yes` directive then explicitly grants access to the share, allowing the user to connect as the guest account (typically 'nobody').

Exam trap

The trap here is that candidates assume `security = user` always blocks unauthenticated access, overlooking the fact that `map to guest = Bad User` can override this by redirecting failed logins to the guest account, especially when combined with `guest ok = yes`.

How to eliminate wrong answers

Option A is wrong because `security = user` alone does not deny guest access; it only requires user-level authentication for non-guest connections, but the `map to guest = Bad User` and `guest ok = yes` override this for unauthenticated users. Option C is wrong because `read only = yes` only restricts write operations, not read access; it does not prevent a guest from connecting and reading files. Option D is wrong because `guest ok = yes` grants access but does not automatically provide full read/write permissions; the `read only = yes` directive in the share definition restricts write access, so the user would only have read access.

180
MCQmedium

Which file is used to configure the LDAP client for system authentication on a modern Linux system using nss-pam-ldapd?

A./etc/openldap/ldap.conf
B./etc/nsswitch.conf
C./etc/nslcd.conf
D./etc/ldap.conf
AnswerC

Correct file for nslcd daemon.

Why this answer

Option C is correct because /etc/nslcd.conf is the configuration file for nslcd, the LDAP name service daemon used by nss-pam-ldapd to perform LDAP queries for system authentication and user/group lookups. This daemon communicates with the LDAP server and provides the results to NSS and PAM modules, making it the central configuration point for LDAP client authentication on modern Linux systems.

Exam trap

The trap here is that candidates often confuse /etc/nslcd.conf (used by nss-pam-ldapd) with /etc/ldap.conf (used by the older nss_ldap/pam_ldap) or /etc/openldap/ldap.conf (used by OpenLDAP client tools), leading them to select a wrong answer based on familiarity with a different LDAP client stack.

How to eliminate wrong answers

Option A is wrong because /etc/openldap/ldap.conf is the configuration file for the OpenLDAP client libraries (libldap), used by tools like ldapsearch, not by nss-pam-ldapd's nslcd daemon. Option B is wrong because /etc/nsswitch.conf controls the order of name service sources (e.g., files, ldap, dns) but does not contain LDAP server connection parameters or credentials. Option D is wrong because /etc/ldap.conf is the legacy configuration file for the older nss_ldap and pam_ldap packages, not for the modern nss-pam-ldapd implementation.

181
MCQhard

A server with IP 10.0.0.1 needs to forward packets from network 192.168.1.0/24 to 10.0.0.0/24. The administrator runs: 'iptables -t nat -A POSTROUTING -s 192.168.1.0/24 -d 10.0.0.0/24 -j MASQUERADE'. However, traffic from 192.168.1.0/24 cannot reach 10.0.0.0/24. What is the most likely missing configuration?

A.A DNAT rule is also needed to translate the destination address.
B.A route must be added on the 10.0.0.0/24 network pointing back to 10.0.0.1.
C.The FORWARD chain in the filter table must have a rule to allow traffic.
D.The IP address 10.0.0.1 is not configured on the external interface.
AnswerC

By default, the FORWARD chain policy is DROP; need to allow forwarding.

Why this answer

The MASQUERADE rule in the POSTROUTING chain handles source NAT, but it does not automatically allow forwarding of packets. By default, the FORWARD chain in the filter table has a policy of DROP or lacks an explicit ACCEPT rule. Without a rule like `iptables -A FORWARD -s 192.168.1.0/24 -d 10.0.0.0/24 -j ACCEPT`, the kernel's netfilter will drop the forwarded packets, preventing traffic from reaching the destination.

Exam trap

The trap here is that candidates assume a MASQUERADE rule alone enables forwarding, but they overlook the separate requirement to allow traffic in the FORWARD chain of the filter table, which is a distinct step in iptables configuration.

How to eliminate wrong answers

Option A is wrong because DNAT is not needed here; the administrator wants to translate the source address (SNAT) for outbound traffic, not change the destination. Option B is wrong because the route back to 10.0.0.1 is not required on the 10.0.0.0/24 network; the MASQUERADE rule rewrites the source to 10.0.0.1, so return traffic naturally routes to that IP, and the server itself must have a route to 192.168.1.0/24 (which is typically via its internal interface). Option D is wrong because 10.0.0.1 is the IP of the server itself and is assumed to be configured on the interface facing the 10.0.0.0/24 network; the issue is not the IP assignment but the missing FORWARD rule.

182
MCQeasy

An administrator configures a Samba share with guest access. After testing, guests are prompted for a password. Which directive should be added to the [global] section to allow guest access without a password?

A.guest account = nobody
B.map to guest = Bad User
C.security = user
D.encrypt passwords = yes
AnswerB

Correct; maps unknown users to guest, enabling password-less guest access.

Why this answer

The 'map to guest = Bad User' directive in the [global] section tells Samba to automatically map any login attempt with an invalid username to the guest account, bypassing password authentication. This is the correct setting to allow guest access without a password prompt, as it treats unknown users as guests.

Exam trap

The trap here is that candidates often confuse 'guest account = nobody' with enabling guest access, but it only defines the Unix account used for guest operations, not the mechanism to bypass password prompts.

How to eliminate wrong answers

Option A is wrong because 'guest account = nobody' only sets the Unix account used for guest access (typically 'nobody'), but does not enable guest access or bypass password prompts; it must be combined with 'map to guest' or 'security = share' (deprecated). Option C is wrong because 'security = user' is the default mode requiring valid user credentials and passwords, which would still prompt guests for a password unless 'map to guest' is also set. Option D is wrong because 'encrypt passwords = yes' enables encrypted password negotiation (SMB dialect), but does not affect whether guest access is allowed without a password; it is unrelated to guest mapping.

183
MCQhard

An administrator configures iptables on a Linux firewall with the following rules: -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT; -A INPUT -p tcp --dport 22 -j ACCEPT; -A INPUT -j DROP. Users report that SSH connections are being dropped. What is the most likely cause?

A.The default INPUT policy is DROP, so the last rule is redundant but harmless.
B.The rule for SSH uses --dport 22, but the source port is randomized; it should use --sport 22.
C.The SSH rule should have -m state --state NEW to allow new connections.
D.The established/related rule should come after the SSH rule.
AnswerC

Without the NEW state, the rule only accepts packets from existing connections, which is not sufficient for initiating new SSH sessions.

Why this answer

Option A is correct because the default policy for the INPUT chain is ACCEPT (if not changed), but the last rule drops all unmatched traffic. However, the issue is that the SSH rule uses --dport 22, which matches destination port, but the connection might be coming from a different source. Actually, the typical problem is that the rule for SSH should also allow state NEW.

But given the rules, the first rule allows established/related, so new SSH packets are not matched by the first rule (they are not ESTABLISHED or RELATED), then they match the second rule (port 22) and are accepted, so it should work. Wait, maybe the order is wrong? The stem says 'following rules' but order might be important. Actually, the rules in the stem are listed in order: first allow established/related, then allow SSH, then drop all.

This should allow SSH. So maybe the problem is that the default policy is DROP? Or the administrator forgot to set the default policy? Let's rethink: If the default policy for INPUT is ACCEPT, then the last rule DROP only affects traffic that is not allowed by earlier rules. SSH traffic should be allowed.

So the likely cause is that the default policy is DROP, and the last rule is unnecessary. But the administrator might have set the default policy to DROP and then added the drop rule redundantly? The question says 'most likely cause', so perhaps the issue is that the rules are applied to the wrong chain? Alternatively, maybe the administrator forgot to add a rule for new SSH connections? But the rule -A INPUT -p tcp --dport 22 -j ACCEPT does accept new SSH. So maybe the problem is that the rule for established/related is before the SSH rule, but new packets are not established, so they are processed by the SSH rule.

That should work. Unless the rule order is reversed? I need a plausible distractor. Let me adjust: Option A: The INPUT chain's default policy is DROP, and the last rule is redundant.

Option B: The rule for SSH does not include the NEW state. Option C: The rule for established/related is missing the NEW state. Option D: The rules are applied to the FORWARD chain instead of INPUT.

The most likely cause is that the administrator set the default policy to DROP and then added a drop rule, but the default policy already drops, so no issue. Actually, if default is DROP, then only allowed rules accept. The rules allow established/related and SSH, so SSH should work.

So something else. Perhaps the administrator forgot to allow the loopback interface? Or the SSH rule is too restrictive? I'll change the stem: 'Users report that SSH connections are being dropped.' The rules listed are correct if applied in order, but maybe the issue is that the first rule should be before the SSH rule? No, it is. I'm overcomplicating.

Let me create a different hard question about iptables state tracking. For example, a rule that allows incoming SSH but only if the connection is from a certain source port, which is unrealistic. Better: An administrator sets up a stateful firewall but forgets to allow NEW state for SSH, so only established connections are allowed.

Then the answer is that the SSH rule should include -m state --state NEW. So Option B is correct. I'll rewrite the stem appropriately.

184
MCQeasy

Refer to the exhibit. What is wrong with the reverse DNS resolution for 192.0.2.1?

A.The reverse zone is not delegated.
B.The query should be for 1.2.0.192.in-addr.arpa.
C.The server is not authoritative for the reverse zone.
D.The PTR record for 192.0.2.1 is missing.
AnswerD

No answer section means no PTR record exists for that IP.

Why this answer

Option D is correct because the reverse DNS resolution for 192.0.2.1 requires a PTR record in the reverse zone file. The query returns NXDOMAIN, which indicates that the PTR record for 1.2.0.192.in-addr.arpa does not exist, meaning the record is missing. Without this PTR record, the reverse lookup fails.

Exam trap

The trap here is that candidates may confuse NXDOMAIN (missing record) with SERVFAIL (server error) or assume delegation issues, but the authoritative flag confirms the server is responsible, so the only logical cause is a missing PTR record.

How to eliminate wrong answers

Option A is wrong because the reverse zone is delegated (the server returns an authoritative answer, as shown by the 'authoritative' flag in the dig output). Option B is wrong because the correct query for reverse DNS of 192.0.2.1 is 1.2.0.192.in-addr.arpa (the IP octets are reversed, not 1.2.0.192.in-addr.arpa which would be for 192.0.2.1? Actually 1.2.0.192.in-addr.arpa is correct for 192.0.2.1; the trap is that the option says 'should be for 1.2.0.192.in-addr.arpa' but the query already is for that, so the issue is not the query format. Option C is wrong because the server is authoritative for the reverse zone (the 'authoritative' flag is set in the response), so it is not a delegation or non-authoritative issue.

185
Multi-Selectmedium

Which THREE of the following are valid bonding modes in Linux?

Select 3 answers
A.mode 2 (balance-xor)
B.mode 8
C.mode 1 (active-backup)
D.mode 0 (balance-rr)
E.mode 7
AnswersA, C, D

XOR balancing– a valid bonding mode.

Why this answer

Option A (mode 2, balance-xor) is a valid bonding mode that uses a hash policy (typically based on MAC addresses) to select a slave interface for outgoing traffic, providing both load balancing and fault tolerance. It is one of the seven standard bonding modes defined in the Linux kernel bonding driver (modes 0 through 6).

Exam trap

The trap here is that candidates may confuse the number of bonding modes (7) with the mode numbers themselves, incorrectly assuming modes 7 or 8 exist, or they may recall that some proprietary or virtual switch implementations support additional modes not present in the standard Linux bonding driver.

186
MCQmedium

A sysadmin is configuring VLAN tagging on a Linux server that will act as a router-on-a-stick for multiple VLANs (10, 20, 30). The server has a single physical interface enp0s3 connected to a switch trunk port that allows VLANs 10, 20, and 30. The administrator uses systemd-networkd and creates VLAN interfaces enp0s3.10, enp0s3.20, enp0s3.30 with IP addresses 10.0.10.1/24, 10.0.20.1/24, and 10.0.30.1/24 respectively. They enable IP forwarding and, for security, set the iptables FORWARD chain default policy to DROP, but they add no specific rules. Clients in VLAN 10 can ping their gateway (10.0.10.1) but cannot ping clients in VLAN 20 (10.0.20.2). The switch confirms correct configuration. Which of the following is the most likely cause?

A.The VLAN interface enp0s3.10 is missing the 'vlan' flag or is not properly bound.
B.The server's MAC address is not allowed on the switch for VLAN 10.
C.The server's iptables FORWARD chain is set to DROP by default.
D.The switch port is configured as an access port instead of a trunk.
AnswerC

DROP policy blocks all forwarded traffic.

Why this answer

The default policy of the iptables FORWARD chain is set to DROP, and no specific rules are added to allow traffic between VLANs. Since the server is acting as a router-on-a-stick, inter-VLAN traffic must be forwarded by the kernel, which requires explicit ACCEPT rules in the FORWARD chain. Without these rules, packets from VLAN 10 to VLAN 20 are dropped, even though the VLAN interfaces and switch configuration are correct.

Exam trap

The trap here is that candidates often assume enabling IP forwarding alone is sufficient for inter-VLAN routing, overlooking that the iptables FORWARD chain default policy (which defaults to ACCEPT but can be set to DROP) must also permit the traffic.

How to eliminate wrong answers

Option A is wrong because the VLAN interfaces enp0s3.10, enp0s3.20, and enp0s3.30 are created using systemd-networkd with proper naming conventions, and the fact that clients can ping their gateway (10.0.10.1) proves that the VLAN interface is correctly bound and functional. Option B is wrong because MAC address filtering on the switch would prevent the client from pinging its own gateway, which is working; the switch trunk port allows all VLANs, and the server's MAC is not restricted. Option D is wrong because if the switch port were configured as an access port, it would only allow a single VLAN, and the server would not be able to communicate with multiple VLAN gateways or receive traffic from VLAN 10 clients at all.

187
MCQhard

Based on the smbstatus output, which statement is true?

A.User 'alice' connected from IP 192.168.1.10 using SMB3 protocol
B.Both users are using SMB2 protocol
C.User 'bob' is accessing share2 with write permissions
D.User 'alice' has an exclusive lock on report.pdf
AnswerA

The machine column shows win10-pc (192.168.1.10) and protocol version SMB3_11.

Why this answer

Option A is correct because the smbstatus output shows that user 'alice' is connected from IP address 192.168.1.10 and the 'Protocol' column explicitly lists 'SMB3_02', which is a variant of the SMB3 protocol. This directly matches the statement in option A.

Exam trap

The trap here is that candidates may assume 'DENY_NONE' implies no lock at all, but it actually means a lock is present that denies no access, which is the opposite of an exclusive lock; LPI often tests the distinction between share mode lock types in smbstatus output.

How to eliminate wrong answers

Option B is wrong because the smbstatus output shows user 'alice' using SMB3_02 protocol, not SMB2; user 'bob' is using SMB2_10, so they are not both using SMB2. Option C is wrong because the output shows user 'bob' accessing 'share2' but the 'Permissions' column for that share is 'R', indicating read-only access, not write permissions. Option D is wrong because the output shows user 'alice' has a 'DENY_NONE' lock on 'report.pdf', which means no exclusive lock is held; an exclusive lock would be 'DENY_ALL' or 'DENY_WRITE'.

188
Multi-Selectmedium

Which TWO parameters are used to control Samba's printer sharing? (Choose two.)

Select 2 answers
A.printer name
B.printable
C.printing
D.load printers
E.use client driver
AnswersB, D

Share-level parameter to define a printer share.

Why this answer

The `printable` parameter in Samba's smb.conf marks a share as a printer, enabling clients to send print jobs to it. The `load printers` parameter, when set to 'yes', automatically loads all printers from the system's printcap file into Samba's browse list, making them available for sharing without manual configuration.

Exam trap

The trap here is that candidates often confuse 'printable' with 'printing' or think 'printer name' is a valid parameter, but the exam tests the specific Samba directives that enable printer sharing, not the backend or naming conventions.

189
MCQhard

Refer to the exhibit. The /data filesystem is nearly full. The administrator has added a new disk /dev/sdc with 10GB capacity. The VG currently has no free space. Which steps will increase the available space for /data using LVM and ext4?

A.vgextend vg /dev/sdc; lvextend -L +10G /dev/vg/data; resize2fs /dev/vg/data
B.pvcreate /dev/sdc; lvextend -L +10G /dev/vg/data; resize2fs /dev/vg/data
C.pvcreate /dev/sdc; vgextend vg /dev/sdc; lvextend -l +50%FREE /dev/vg/data; resize2fs /dev/vg/data
D.pvcreate /dev/sdc; vgextend vg /dev/sdc; lvextend -l +100%FREE /dev/vg/data; resize2fs /dev/vg/data
AnswerD

Correctly adds the PV, extends VG, extends LV with all free space, and resizes the filesystem.

Why this answer

Option D is correct because it follows the proper LVM workflow: create a physical volume (pvcreate), add it to the volume group (vgextend), extend the logical volume using all free space in the VG (lvextend -l +100%FREE), and then resize the ext4 filesystem (resize2fs). This ensures the new 10GB disk is fully utilized for /data.

Exam trap

The trap here is that candidates often forget the mandatory pvcreate step or confuse the extent-based -l option with the size-based -L option, leading them to choose options that either skip a critical step or allocate only partial capacity.

How to eliminate wrong answers

Option A is wrong because it skips pvcreate, which is required to initialize /dev/sdc as a physical volume before it can be added to a VG; vgextend alone will fail. Option B is wrong because it omits vgextend, so the new PV is never added to the VG, and lvextend cannot allocate space from an unassociated PV. Option C is wrong because -l +50%FREE only allocates half of the available free space (5GB), not the full 10GB, leaving the filesystem undersized.

190
MCQmedium

A system with SELinux in enforcing mode is running a custom application that needs to write to a file in /data. The application's context type is 'myapp_t', and the target file context is 'default_t'. The file's current context is 'var_t'. Which command changes the file's context to allow access?

A.fixfiles -F relabel /data
B.chcon -t default_t /data/file
C.semanage fcontext -a -t default_t /data/file
D.restorecon /data/file
AnswerB

Directly changes the file's type to default_t.

Why this answer

Option B is correct because chcon changes file context temporarily; semanage fcontext and restorecon are for persistent labeling. Option A is wrong because restorecon would reset to default policy; option C is wrong because fixfiles relabel restores default file contexts; option D is wrong because semanage fcontext changes policy but requires restorecon to apply.

191
MCQeasy

Which command will display the current VLAN membership of interface eth1?

A.vconfig list eth1
B.ip addr show eth1
C.cat /proc/net/vlan/eth1
D.bridge vlan show dev eth1
E.ip link show eth1
AnswerD

Displays VLAN membership for the specified interface, including PVID and tagged VLANs.

Why this answer

Option D is correct because the `bridge vlan show dev eth1` command displays the current VLAN membership of a specific interface when the interface is part of a Linux bridge. This command queries the kernel's bridge VLAN filtering database, showing which VLAN IDs are tagged or untagged on the given port, which is the standard way to view VLAN membership in modern Linux networking.

Exam trap

The trap here is that candidates often confuse `ip link show` or `ip addr show` with VLAN membership display, or mistakenly think that `vconfig` or `/proc/net/vlan/` files provide per-physical-interface VLAN membership, when in fact those tools are for VLAN sub-interfaces, not bridge port VLAN membership.

How to eliminate wrong answers

Option A is wrong because `vconfig list eth1` is not a valid command; `vconfig` is used to create or delete VLAN interfaces (e.g., `vconfig add eth1 10`), but it does not display VLAN membership of a physical interface. Option B is wrong because `ip addr show eth1` displays IP addresses assigned to the interface, not VLAN membership information. Option C is wrong because the file `/proc/net/vlan/eth1` does not exist; the correct path for VLAN interface information is `/proc/net/vlan/<vlan-interface-name>` (e.g., `eth1.10`), and it shows details of a VLAN interface, not the membership of a physical port.

Option E is wrong because `ip link show eth1` displays the link layer state (e.g., UP/DOWN, MAC address, MTU) and does not include VLAN membership details.

192
MCQmedium

Refer to the exhibit. The user 'user' reports that they are able to run 'sudo apt-get update' without a password, but 'sudo apt-get upgrade' prompts for a password. What is the most likely cause?

A.The second rule does not include the NOPASSWD tag, so password is required.
B.The 'Defaults:user !requiretty' setting affects password prompting.
C.The command 'apt-get upgrade' is being run as the user, not as root.
D.The rules are in the wrong order, causing the second to be overridden.
AnswerA

Only the first rule has NOPASSWD; the second rule defaults to password authentication.

Why this answer

Option B is correct. The first rule has NOPASSWD, so update runs without password. The second rule lacks NOPASSWD, so upgrade requires a password.

Option A is wrong because requiretty is not the issue. Option C is wrong because commands are run as root, not as user. Option D is wrong because the syntax is correct; the issue is the missing NOPASSWD tag.

193
MCQhard

An administrator notices that an NFS mount on a client becomes unresponsive when the NFS server goes offline. The admin wants the mount to return an error to the application after a short timeout instead of hanging indefinitely. Which mount option should be added to the fstab entry?

A.intr
B.bg
C.hard
D.soft
AnswerD

The soft option allows NFS to time out and return an error.

Why this answer

The `soft` mount option causes the NFS client to return an error to the application after a short timeout (typically 60 seconds by default) if the NFS server becomes unresponsive, rather than hanging indefinitely. This is the correct choice because the administrator specifically wants the mount to return an error after a short timeout instead of hanging.

Exam trap

LPI often tests the distinction between `hard` and `soft` mounts, and the trap here is that candidates may confuse `intr` (which only makes hard mounts interruptible) with a timeout-based error return, or think `bg` affects runtime behavior instead of mount-time retries.

How to eliminate wrong answers

Option A is wrong because `intr` (interruptible) allows signals to interrupt NFS operations on a hard mount, but it does not cause the mount to return an error after a timeout; it only makes a hard mount interruptible by user signals. Option B is wrong because `bg` (background) retries the mount in the background if it fails initially, but it does not affect the behavior of an already-mounted filesystem when the server goes offline; it is used for mount retries, not for timeout behavior. Option C is wrong because `hard` causes the NFS client to retry requests indefinitely until the server responds, which results in the application hanging indefinitely — exactly the behavior the administrator wants to avoid.

194
MCQeasy

Which command is used to list the NFS exports available from a specific server?

A.showmount -e server
B.mount -t nfs4 server:/export /mnt
C.nfsstat
D.exportfs -a
AnswerA

showmount with -e lists the exported filesystems from a server.

Why this answer

The `showmount -e server` command queries the NFS server's mount daemon (rpc.mountd) to list the exported filesystems that are currently available. This is the standard method for a client to discover which NFS shares a server is offering, as it directly interrogates the server's export list via the RPC protocol.

Exam trap

The trap here is that candidates often confuse `showmount -e` with `exportfs` (a server-side command) or with `mount` (which requires prior knowledge of the export path), leading them to pick a command that either does not query a remote server or performs a different operation entirely.

How to eliminate wrong answers

Option B is wrong because `mount -t nfs4 server:/export /mnt` is used to mount an NFS share, not to list available exports; it assumes you already know the export path. Option C is wrong because `nfsstat` displays NFS statistics (like RPC call counts and performance data) on the local system, not the export list from a remote server. Option D is wrong because `exportfs -a` is a server-side command that exports or unexports all directories listed in `/etc/exports`; it does not query a remote server for its exports.

195
MCQhard

A Samba server experiences slow file transfers for large files. The administrator suspects oplock issues. Which set of parameters should be adjusted to disable opportunistic locking?

A.oplocks = false alone is sufficient
B.strict locking = yes
C.kernel oplocks = no
D.oplocks = no and level2 oplocks = no
AnswerD

Setting both disables all oplocks, improving performance for some workloads.

Why this answer

Option D is correct because disabling opportunistic locking (oplocks) in Samba requires setting both 'oplocks = no' and 'level2 oplocks = no'. The 'oplocks = no' directive disables exclusive oplocks, but Samba's default behavior still allows level2 oplocks (read-only caching). To fully disable all forms of oplock caching, both parameters must be set to 'no', preventing client-side caching that can cause conflicts and slow transfers for large files.

Exam trap

The trap here is that candidates assume setting 'oplocks = no' alone is sufficient, overlooking that Samba's default behavior enables level2 oplocks separately, requiring both parameters to be explicitly disabled.

How to eliminate wrong answers

Option A is wrong because setting 'oplocks = false' alone only disables exclusive oplocks; level2 oplocks remain enabled by default, allowing read caching that can still cause oplock breaks and performance issues. Option B is wrong because 'strict locking = yes' enforces byte-range locking checks on every read/write, which actually increases overhead and slows transfers, rather than disabling oplocks. Option C is wrong because 'kernel oplocks = no' disables kernel-level oplock support (used with NFS or local file systems), but does not affect Samba's own oplock mechanism; it is unrelated to disabling Samba's opportunistic locking.

196
MCQmedium

A system administrator recently configured two NICs in a bonding interface (bond0) using mode 1 (active-backup). Although both links appear up, traffic never fails over when the primary link goes down. Which command should the administrator use to diagnose the bonding status and determine the root cause?

A.netstat -i
B.cat /proc/net/bonding/bond0
C.ifconfig bond0
D.ethtool bond0
AnswerB

Shows bonding driver status: active slave, link failures, MII status.

Why this answer

Option B is correct because /proc/net/bonding/bond0 is the kernel-level interface that exposes the current bonding driver state, including active slave, link status, and failover counters. In mode 1 (active-backup), this file shows whether the primary interface is actually marked as 'up' by the bonding driver and whether the backup interface is ready to take over. The administrator can check for issues such as the primary link being stuck in a 'down' state due to misconfigured MII monitoring or missing 'miimon' parameter.

Exam trap

The trap here is that candidates assume ifconfig or ethtool showing 'UP' means the bonding driver will failover, but bonding relies on its own link monitoring (miimon or arp_interval) which must be explicitly configured and verified via /proc/net/bonding/bond0.

How to eliminate wrong answers

Option A is wrong because netstat -i shows interface statistics (packets, errors, drops) but does not display bonding-specific details like active slave, failover status, or MII monitoring state. Option C is wrong because ifconfig bond0 only shows basic IP configuration and link flags (UP/RUNNING) for the bond interface, not the internal bonding state or per-slave failover readiness. Option D is wrong because ethtool bond0 queries the NIC driver for link speed, duplex, and offload features, but it cannot reveal bonding driver internals such as the active-backup primary selection or failover counters.

197
MCQhard

Based on the ACL output, which user(s) can write to the file /var/www/html/index.html?

A.Only the user www-data.
B.No one, because the mask is r--.
C.Only root.
D.Any user in the www-data group.
AnswerC

Root has rw- and is not limited by mask.

Why this answer

The correct answer is C because the ACL output shows that the mask is set to r--, which limits the effective permissions of named users and groups to read-only, regardless of their ACL entries. However, the root user is not subject to ACL restrictions and always has full access to any file, including write permission, making root the only user who can write to the file.

Exam trap

The trap here is that candidates often overlook that the ACL mask applies only to named users and groups, not to root, leading them to incorrectly believe that the mask r-- blocks all write access, including root's.

How to eliminate wrong answers

Option A is wrong because the ACL entry for user www-data grants rw- permissions, but the mask is r--, which masks the write permission, so www-data cannot write. Option B is wrong because the mask r-- does not prevent root from writing; root bypasses all ACL and permission checks. Option D is wrong because the group www-data has an ACL entry of r--, and even if it had rw-, the mask r-- would block write access for any group member.

198
MCQeasy

A Samba share is configured with 'browseable = yes' but Windows clients cannot see it in the network list. However, they can access it by typing the UNC path directly. Which parameter is most likely misconfigured?

A.os level
B.netbios name
C.local master
D.server string
AnswerC

This controls whether the server attempts to become the local master browser.

Why this answer

The 'local master' parameter controls whether the Samba server participates in the election for the local master browser on the subnet. If set to 'no', the Samba server will not become the master browser, and Windows clients rely on the master browser to populate the network list. Since clients can access the share via UNC path but not see it in the network list, the browsing service is failing, which is directly tied to the local master setting.

Exam trap

LPI often tests the distinction between 'browseable' (which controls visibility of individual shares) and 'local master' (which controls the server's presence in the network browse list), causing candidates to confuse share-level visibility with server-level browsing.

How to eliminate wrong answers

Option A is wrong because 'os level' influences the priority in browser elections but does not directly prevent the share from appearing in the network list; a low os level might lose an election but the server can still be a backup browser. Option B is wrong because 'netbios name' defines the server's NetBIOS name for identification; if misconfigured, the server would not be reachable by UNC path either. Option D is wrong because 'server string' is a descriptive comment shown in the network list; it does not affect whether the server appears at all.

199
MCQmedium

An administrator wants to block all incoming traffic from the IP address 203.0.113.55 except for SSH (port 22) using iptables. The current default policy for the INPUT chain is ACCEPT. Which set of commands achieves this?

A.iptables -A INPUT -p tcp --dport 22 -s 203.0.113.55 -j ACCEPT -m; iptables -A INPUT -s 203.0.113.55 -j DROP
B.iptables -A INPUT -s 203.0.113.55 -j DROP; iptables -A INPUT -s 203.0.113.55 -p tcp -j ACCEPT
C.iptables -A INPUT -s 203.0.113.55 -j DROP; iptables -A INPUT -s 203.0.113.55 -p tcp --dport 22 -j ACCEPT
D.iptables -A INPUT -s 203.0.113.55 -p tcp --dport 22 -j ACCEPT; iptables -A INPUT -s 203.0.113.55 -j DROP
AnswerD

First accepts SSH, then drops all other traffic from the IP.

Why this answer

Option C is correct because it adds the SSH accept rule before the drop rule, ensuring SSH from that IP is allowed. Options A and D drop all first, blocking SSH. Option B has invalid syntax.

200
Multi-Selecteasy

Which TWO files are commonly used to configure PAM authentication for the 'login' service on a Linux system? (Choose two.)

Select 2 answers
A./etc/default/login
B./etc/login.defs
C./etc/pam.conf
D./etc/pam.d/login
E./etc/security/access.conf
AnswersD, E

PAM configuration for the login service.

Why this answer

Options A and D are correct. PAM configuration files are located in /etc/pam.d/ and /etc/security/ (for some modules). Option B is wrong because /etc/pam.conf is an older format, but modern systems use /etc/pam.d/.

Option C is wrong because /etc/login.defs is for login parameters, not PAM. Option E is wrong because /etc/default/login is not a standard PAM file.

201
MCQeasy

An administrator wants to check the ARP cache for a specific IP address 192.168.1.1. Which command will display the ARP entry for that address?

A.ip neigh show 192.168.1.1
B.arp -a 192.168.1.1
C.arp -n | grep 192.168.1.1
D.route -n
AnswerC

This filters the ARP cache for the specific IP.

Why this answer

Option C is correct because `arp -n` displays the ARP cache in numeric format, and piping it through `grep 192.168.1.1` filters the output to show only the entry for that specific IP address. The `-n` flag prevents reverse DNS lookups, ensuring the output contains raw IP addresses, which is essential for reliable filtering.

Exam trap

The trap here is that candidates often assume `arp -a` with an IP address works universally, but on Linux, `-a` expects a hostname and may fail silently or require DNS resolution, whereas `arp -n` with `grep` reliably filters numeric output without relying on name resolution.

How to eliminate wrong answers

Option A is wrong because `ip neigh show 192.168.1.1` is the correct syntax for the `ip` command to display a specific ARP entry, but the question expects the traditional `arp` command and lists `arp -n | grep` as the correct answer; however, in a strict sense, `ip neigh show` is also valid, but the exam's designated correct answer is C, and A is not listed as correct. Option B is wrong because `arp -a 192.168.1.1` uses the `-a` flag which, on many Linux distributions, expects a hostname rather than an IP address, and it may perform a reverse DNS lookup, potentially failing or showing no output if no hostname is associated. Option D is wrong because `route -n` displays the kernel IP routing table, not the ARP cache, so it cannot show ARP entries for any IP address.

202
Multi-Selecteasy

Which three directories or files are typically associated with the Linux kernel? (Choose three.)

Select 3 answers
A./proc
B./dev
C./etc
D./sys
E./boot/vmlinuz-*
AnswersA, D, E

/proc is a virtual filesystem that provides kernel and process information.

Why this answer

/proc is a virtual filesystem that provides an interface to kernel data structures, exposing process information, system hardware details, and runtime kernel parameters. It is dynamically generated by the kernel and does not occupy disk space, making it a direct representation of kernel state.

Exam trap

The trap here is that candidates often confuse /dev as a kernel-associated directory because it contains device nodes, but /dev is a user-space interface managed by udev, whereas /proc and /sys are virtual filesystems directly maintained by the kernel.

203
MCQeasy

Which command can be used to display all UUIDs of block devices that contain filesystems?

A.lsblk -f
B.both A and B
C.blkid
D.fdisk -l
AnswerB

Both blkid and lsblk -f display UUIDs.

Why this answer

Both `lsblk -f` and `blkid` are designed to display UUIDs for block devices that contain filesystems. `lsblk -f` shows filesystem information including UUIDs in a tree-like format, while `blkid` directly queries the UUID and filesystem type from block device metadata. Option B is correct because both commands fulfill the requirement.

Exam trap

The trap here is that candidates often think only one command (usually `blkid`) can display UUIDs, forgetting that `lsblk -f` also shows this information, leading them to pick a single option instead of the combined answer.

How to eliminate wrong answers

Option A is wrong because `lsblk -f` is actually a valid command that displays UUIDs, so it is not incorrect on its own; the question asks for a single command but both A and C work, making B the correct answer. Option C is wrong because `blkid` is also a valid command that displays UUIDs, so it is not incorrect on its own; the trap is that candidates might think only one command works. Option D is wrong because `fdisk -l` lists partition tables (sizes, types, start/end sectors) but does not display filesystem UUIDs; it only shows partition type IDs (e.g., 83 for Linux) and never queries the filesystem superblock for UUIDs.

204
MCQhard

A system administrator has compiled a custom Linux kernel (version 5.15.19) with ext4 filesystem support built as a module. The administrator installed the kernel to /boot and built an initramfs using dracut with default options. After rebooting, the system fails with a kernel panic: 'VFS: Unable to mount root fs on unknown-block(0,0)'. The administrator confirms that the root partition is /dev/sda1 formatted as ext4 and that the kernel configuration includes the ext4 module. The kernel command line includes 'root=/dev/sda1' and 'rd.auto'. The administrator also notices that the initramfs file is only 5 MB in size, which seems smaller than expected. Which of the following is the most likely cause and best solution?

A.The initramfs is missing the ext4 module because dracut did not include it. The administrator should run 'dracut --force --add-drivers ext4 /boot/initramfs-5.15.19.img 5.15.19' to regenerate the initramfs including the ext4 module.
B.The kernel command line needs the 'rd.shell' parameter to allow interactive debugging. The administrator should add 'rd.shell' to the kernel parameter and boot again to investigate.
C.The root filesystem label or UUID is incorrect. The administrator should change the kernel command line to use 'root=LABEL=root' or 'root=UUID=...'.
D.The kernel is missing the ext4 module because it was not compiled. The administrator should recompile the kernel with ext4 compiled directly into the kernel (y) instead of as a module.
AnswerA

Dracut may fail to detect the module; --add-drivers forces inclusion, and --force overwrites the existing initramfs.

Why this answer

The small initramfs size (5 MB) suggests it does not contain the ext4 module. Dracut should have included it automatically, but may have failed. Rebuilding with --force and explicitly adding the ext4 driver ensures the module is included.

Compiling ext4 into the kernel would work but is not the most efficient solution; changing the root parameter would not help because the device is correct; rd.shell would allow debugging but not fix the underlying issue.

205
MCQhard

A network administrator is configuring source-based routing. They have created a new routing table and added a default route. They then run: ip rule add to 10.0.0.0/24 lookup 100. Traffic from 10.0.0.0/24 still uses the main table. What is the problem?

A.The rule uses 'to' instead of 'from' to match the source subnet.
B.The rule is not persistent.
C.The rule priority is too high.
D.The routing table 100 does not have a default route.
AnswerA

For source-based routing, the rule should specify 'from' to match the source address. Using 'to' matches the destination.

Why this answer

The `ip rule add to 10.0.0.0/24 lookup 100` command uses the `to` keyword, which matches the destination address, not the source address. For source-based routing, you must use the `from` keyword to match the source subnet. Since the rule matches destination 10.0.0.0/24 instead of source, traffic originating from 10.0.0.0/24 is not matched by this rule and continues to use the main routing table.

Exam trap

The trap here is that candidates often confuse the `to` and `from` keywords in `ip rule`, mistakenly thinking `to` refers to the source subnet when it actually refers to the destination, leading them to select a rule that never matches the intended traffic.

How to eliminate wrong answers

Option B is wrong because persistence (e.g., saving rules to /etc/iproute2/rt_tables or a startup script) affects whether the rule survives a reboot, but it does not affect the current runtime behavior; the rule is already added and active. Option C is wrong because rule priority (the `priority` parameter) determines the order in which rules are evaluated, but a higher priority (lower numeric value) would not prevent the rule from matching; the issue is the match condition itself, not the priority. Option D is wrong because the routing table 100 does have a default route (as stated in the question), and even if it did not, the rule would still match and simply fail to find a route; the problem is that the rule does not match the traffic at all.

206
MCQhard

A mail server running Postfix is deferring messages for a local user. The mail log shows 'status=deferred (mailbox is locked)'. What is the most likely cause?

A.The user's mailbox is currently being accessed by a POP3 client.
B.The filesystem containing the mail spool is out of inodes.
C.The disk quota for the user has been exceeded.
D.The Postfix process lacks write permission to the mailbox.
AnswerA

Concurrent access by a mail client can lock the mailbox file, causing Postfix to defer delivery with 'mailbox is locked'.

Why this answer

The 'mailbox is locked' message in Postfix logs indicates that the mailbox file is currently locked by another process, typically a POP3 or IMAP client that has the mailbox open for exclusive access. Postfix defers delivery because it cannot acquire the necessary lock to write to the mailbox, ensuring data integrity. This is a standard behavior defined by the mailbox locking mechanism (e.g., fcntl, dotlock) used by the MTA and MDA.

Exam trap

The trap here is that candidates confuse 'mailbox is locked' with permission or quota issues, but the lock message specifically points to a concurrent access conflict, not a filesystem or authorization problem.

How to eliminate wrong answers

Option B is wrong because a filesystem out of inodes would produce errors like 'No space left on device' or 'Disk quota exceeded', not a specific 'mailbox is locked' message. Option C is wrong because exceeding disk quota results in 'quota exceeded' errors in the mail log, not a lock-related deferral. Option D is wrong because lack of write permission would cause a 'Permission denied' error, not a lock conflict; Postfix checks permissions before attempting delivery and would log a different error.

207
MCQeasy

What is the most likely error in the configuration?

A.Section name '[share]' is invalid
B.Case sensitivity of parameter names
C.Parameter 'security mode' should be 'security'
D.Missing quotation marks around comment
AnswerC

The correct parameter is 'security', not 'security mode'.

Why this answer

Option C is correct because the Samba configuration parameter for setting the security mode is simply 'security', not 'security mode'. The correct syntax is 'security = user' (or share, server, domain, ads). Using 'security mode' is an invalid parameter name that Samba will ignore or treat as an error, causing the configuration to fail or behave unexpectedly.

Exam trap

The trap here is that candidates may assume parameter names can include spaces or that 'security mode' is a valid multi-word parameter, when in fact Samba uses single-word parameters with underscores for multi-word concepts (e.g., 'security' not 'security mode').

How to eliminate wrong answers

Option A is wrong because section names like '[share]' are valid in Samba; they define a share resource and are not inherently invalid. Option B is wrong because Samba parameter names are case-insensitive, so case sensitivity is not the issue here. Option D is wrong because quotation marks around comment values are optional in Samba; they are only needed if the comment contains spaces or special characters, but their absence is not an error.

208
MCQhard

A database server uses LVM with an XFS filesystem on /dev/vg_data/lv_db, mounted at /var/lib/mysql. The LV is at 95% capacity. A new 50GB disk /dev/sdd has been added and initialized as a physical volume, then added to the volume group vg_data. The database is running and cannot be stopped. The administrator must extend the LV and filesystem. What is the correct course of action?

A.Run `lvextend -L +50G /dev/vg_data/lv_db` followed by `resize2fs /dev/vg_data/lv_db`.
B.Run `lvextend -L +50G /dev/vg_data/lv_db` followed by `xfs_growfs /var/lib/mysql`.
C.Unmount /var/lib/mysql, run `lvextend -L +50G /dev/vg_data/lv_db`, run `resize2fs /dev/vg_data/lv_db`, then remount.
D.Run `lvresize -L +50G /dev/vg_data/lv_db`.
AnswerB

Correct: lvextend extends the LV online, and xfs_growfs resizes the XFS filesystem while mounted.

Why this answer

Option D is correct because lvextend extends the logical volume without unmounting, and xfs_growfs can online resize an XFS filesystem. Option A uses resize2fs, which is only for ext2/3/4 filesystems. Option B does not resize the filesystem at all.

Option C includes an unmount step, which would cause unacceptable downtime for a running database.

209
MCQhard

A user reports that they cannot SSH to a remote server using the usual command 'ssh user@remote.example.com'. The administrator tests and gets 'Permission denied (publickey,gssapi-keyex,gssapi-with-mic)'. The user's public key is in ~/.ssh/authorized_keys on the remote server. The local client has the matching private key. Which step should the administrator take to resolve the issue?

A.Generate a new RSA key pair on the client with ssh-keygen.
B.Run 'ssh-add' to add the private key to the SSH agent.
C.Restart the sshd service on the client.
D.Check /var/log/auth.log on the remote server to see why the key was rejected.
AnswerD

Server logs show the exact reason for key rejection.

Why this answer

The error message indicates that the SSH server rejected all offered authentication methods, including publickey. Since the user's public key is in the remote server's authorized_keys file and the client has the matching private key, the most likely cause is a file permission or SELinux/AppArmor issue on the remote server, or a key format mismatch. Checking /var/log/auth.log on the remote server will show the exact reason for the rejection, such as 'bad permissions' or 'key not recognized', allowing targeted troubleshooting.

Exam trap

The trap here is that candidates assume the key pair is the problem and jump to regenerating keys or using ssh-add, when the real issue is often a server-side configuration or permission problem that can only be diagnosed by examining the remote server's authentication logs.

How to eliminate wrong answers

Option A is wrong because generating a new key pair would not resolve the underlying issue; the existing keys are already correctly placed, and a new pair would require re-adding the public key to authorized_keys. Option B is wrong because ssh-add is only needed if the private key is not loaded into an SSH agent; the user is running ssh directly, not via an agent, and the private key file is present. Option C is wrong because restarting sshd on the client has no effect on the remote server's authentication process; the issue is on the remote server, not the client.

210
Multi-Selecthard

Which THREE of the following are correct statements about LVM thin provisioning? (Select THREE)

Select 3 answers
A.Snapshots of thin volumes use the same pool.
B.Thin provisioning allows overcommitment of physical storage.
C.A thin pool can be resized smaller without data loss.
D.A thin volume can be larger than the pool.
E.Thin volumes must be created before the thin pool.
AnswersA, B, D

Both thin volumes and snapshots share pool space.

Why this answer

Option A is correct because LVM thin provisioning uses a shared thin pool to store data for all thin volumes and their snapshots. When a snapshot of a thin volume is created, it does not allocate separate physical storage; instead, it references the same thin pool, allowing efficient space usage and copy-on-write semantics.

Exam trap

The trap here is that candidates confuse thin pool resizing with standard logical volume resizing, assuming lvreduce can shrink a thin pool safely, when in fact LVM does not support shrinking thin pools without risking data loss.

211
MCQhard

A Samba share uses the 'acl_xattr' VFS module to store NT ACLs in extended attributes. The administrator runs 'getfattr -d /srv/share/file.txt' and sees no system attributes related to NT ACLs. What is the most likely cause?

A.The VFS module is not loaded globally.
B.The filesystem is not mounted with the 'user_xattr' option.
C.The share does not have 'nt acl support = yes' set.
D.The file's extended attributes are stored in a different namespace.
AnswerB

Extended attributes require the user_xattr mount option.

Why this answer

The 'acl_xattr' VFS module stores NT ACLs in extended attributes within the 'system' namespace. If 'getfattr -d' shows no system attributes, the most likely cause is that the underlying filesystem is not mounted with the 'user_xattr' option, which is required to enable extended attribute support. Without this mount option, the filesystem cannot store or retrieve extended attributes, so the NT ACL data is not persisted.

Exam trap

The trap here is that candidates often confuse the 'user_xattr' mount option with the 'user' namespace for extended attributes, assuming it only affects user-defined attributes, when in fact it enables all extended attribute support on the filesystem.

How to eliminate wrong answers

Option A is wrong because the 'acl_xattr' VFS module is typically loaded per share in the Samba configuration, not globally; even if it were global, the absence of system attributes points to a filesystem-level issue, not a Samba module loading problem. Option C is wrong because 'nt acl support = yes' is a separate parameter that enables Samba to map NT ACLs to POSIX ACLs, but it does not affect the storage of extended attributes; the 'acl_xattr' module handles that storage. Option D is wrong because the 'acl_xattr' module stores NT ACLs in the 'system' namespace (e.g., 'system.ntfs_acl'), not in a different namespace; if the attributes were in a different namespace, 'getfattr -d' would still show them unless the namespace is explicitly excluded.

212
MCQhard

A server reports packet loss on a bonded interface (mode 4). The switch configuration is verified correct. Running ethtool shows all slaves are connected at 1 Gbps full duplex. Which command should be used to check if the LACP negotiation is successful?

A.tcpdump -i bond0 ether proto 0x8809
B.ethtool -S bond0
C.ip link show bond0
D.cat /proc/net/bonding/bond0
E.bridge link show
AnswerD

Displays bonding information including LACP state, actor/partner keys, and link status.

Why this answer

Option D is correct because `/proc/net/bonding/bond0` displays the current bonding status, including LACP negotiation details such as the LACP state (e.g., 'negotiated' or 'expired'), partner system MAC, and port key. This is the standard Linux interface to verify that LACP (802.3ad) has successfully established a link aggregation group with the switch.

Exam trap

The trap here is that candidates confuse LACP negotiation with general link status or packet capture, assuming `tcpdump` or `ethtool` can show LACP state, when in fact only the bonding pseudo-file provides the detailed per-slave LACP negotiation status.

How to eliminate wrong answers

Option A is wrong because `tcpdump -i bond0 ether proto 0x8809` captures LACP frames (protocol 0x8809) on the bond interface, but bond0 itself does not transmit or receive raw LACP frames—those are handled on slave interfaces; this command would show nothing useful. Option B is wrong because `ethtool -S bond0` shows software statistics for the bond (e.g., packets, drops), not LACP negotiation state; LACP details are per-slave and not aggregated at the bond level. Option C is wrong because `ip link show bond0` only shows link state and MTU, not LACP-specific information like actor/partner states.

Option E is wrong because `bridge link show` is for bridge (switching) interfaces, not bonding; it has no relevance to LACP or 802.3ad.

213
MCQhard

An administrator is reviewing the audit rules on a Linux server. The current rules are shown in the exhibit. The administrator needs to ensure that any failed attempts to open files are logged, while also monitoring for successful outbound connections. Which of the following describes the effect of the current rules?

A.The first rule logs only failed openat calls, and the second rule logs all connect calls.
B.The first rule logs only successful openat calls, and the second rule logs only failed connect calls.
C.The first rule logs all openat calls, and the second rule logs all connect calls.
D.The first rule logs only failed openat calls, and the second rule logs only failed connect calls.
AnswerA

The first rule logs failed openat (success=0), the second logs all connect (no success filter).

Why this answer

The first rule uses the `-F exit=-EACCES` filter, which matches only failed `openat` calls (those returning the EACCES error). The second rule uses `-S connect` without an exit filter, so it logs all `connect` syscalls regardless of success or failure. Therefore, option A correctly describes the effect: failed openat calls and all connect calls are logged.

Exam trap

The trap here is that candidates often assume `-S connect` without an exit filter only logs failed connections, but it actually logs all connect syscalls, and they may also overlook that `-F exit=-EACCES` explicitly targets failures, not successes.

How to eliminate wrong answers

Option B is wrong because the first rule logs only failed openat calls, not successful ones; the second rule logs all connect calls, not just failed ones. Option C is wrong because the first rule does not log all openat calls—it specifically filters for failures (exit=-EACCES). Option D is wrong because the second rule logs all connect calls, not only failed ones.

214
MCQmedium

Refer to the exhibit. If a user on the local machine tries to SSH to a remote host on eth1, what will happen?

A.The connection will succeed only if the remote host is on eth0.
B.The connection will succeed because the OUTPUT chain accepts all.
C.The connection will fail because there is no rule accepting outgoing SSH.
D.The connection will fail because the INPUT chain drops all.
AnswerB

Outgoing SSH is allowed by OUTPUT policy.

Why this answer

The correct answer is B because the OUTPUT chain has a default policy of ACCEPT, meaning all outgoing packets, including SSH traffic (TCP port 22), are allowed by default. Since the user is initiating an SSH connection from the local machine, the packet traverses the OUTPUT chain, and with no explicit DROP or REJECT rule, it is permitted. The INPUT chain's default DROP policy only affects incoming packets, not outgoing connections.

Exam trap

The trap here is that candidates mistakenly focus on the INPUT chain's DROP policy and assume it blocks outgoing SSH, or they think a specific rule for SSH is required in the OUTPUT chain, overlooking the default ACCEPT policy.

How to eliminate wrong answers

Option A is wrong because the routing decision depends on the destination IP and routing table, not on which interface the OUTPUT chain applies to; the OUTPUT chain does not filter based on egress interface in the same way as FORWARD. Option C is wrong because the OUTPUT chain's default policy is ACCEPT, so no explicit rule for outgoing SSH is required; the connection will succeed unless a specific DROP rule exists. Option D is wrong because the INPUT chain only processes packets destined for the local machine, not outgoing packets initiated by the local machine; the SSH connection's return traffic would be subject to INPUT, but the initial outgoing packet is not affected.

215
MCQmedium

An administrator creates a new XFS filesystem on /dev/vg/data and needs to mount it at /data with noatime and a stripe unit of 1 MiB. Which /etc/fstab entry is correct?

A./dev/vg/data /data xfs defaults,noatime,sunit=2048 0 0
B./dev/vg/data /data xfs defaults,noatime,swidth=2048 0 0
C./dev/vg/data /data xfs defaults,noatime,allocsize=1m 0 0
D./dev/vg/data /data xfs defaults,noatime,sunit=1024 0 0
AnswerA

sunit=2048 sectors = 1 MiB stripe unit, with noatime.

Why this answer

Option A is correct because the `sunit` mount option specifies the stripe unit in 512-byte blocks. A stripe unit of 1 MiB equals 2048 blocks (1 MiB = 1024 KiB = 2048 * 512 bytes). The `noatime` option disables access time updates.

This entry correctly mounts the XFS filesystem at /data with the required parameters.

Exam trap

The trap here is confusing the unit of measurement: candidates often forget that `sunit` is in 512-byte blocks, not bytes or kilobytes, leading them to choose `sunit=1024` (which is only 512 KiB) instead of the correct `sunit=2048` for 1 MiB.

How to eliminate wrong answers

Option B is wrong because `swidth` specifies the stripe width (total stripe size across all data disks), not the stripe unit; it would be used in addition to `sunit` for RAID configurations, not alone. Option C is wrong because `allocsize=1m` sets the pre-allocation size for file writes, not the stripe unit; it does not affect RAID stripe alignment. Option D is wrong because `sunit=1024` corresponds to a stripe unit of 512 KiB (1024 * 512 bytes), not the required 1 MiB.

216
MCQmedium

A system administrator notices that the network bond interface bond0 is not operational. The bond is configured using mode 1 (active-backup). The physical interfaces eth0 and eth1 are both up but bond0 shows 'DOWN'. Which of the following is the most likely cause?

A.The bond mode is set to an unsupported value.
B.The bonding module has not been loaded into the kernel.
C.The physical interfaces must be set to the 'down' state before being added as slaves.
D.The bond0 interface has not been assigned an IP address.
AnswerC

Slave interfaces are often required to be down before bonding to avoid conflicts.

Why this answer

In Linux bonding, when adding physical interfaces as slaves to a bond in mode 1 (active-backup), the slave interfaces must be in the 'down' state before being enslaved. If they are already 'up', the bond may fail to recognize them correctly, leaving bond0 in a 'DOWN' state even though the physical links are up. This is because the bonding driver expects to take control of the interface's link state and will not properly manage a slave that is already administratively up.

Exam trap

The trap here is that candidates often assume that because the physical interfaces are 'up' and have link, the bond should automatically be 'up', but Linux bonding requires slaves to be administratively down before enslaving, a detail that is frequently overlooked in exam questions.

How to eliminate wrong answers

Option A is wrong because mode 1 (active-backup) is a standard and supported bonding mode in Linux; the bond mode being set to an unsupported value would typically cause a different error, such as the bond failing to come up at all or showing an invalid mode in /proc/net/bonding/bond0. Option B is wrong because if the bonding module were not loaded, the bond0 interface itself would not exist or would fail to create; the fact that bond0 is present (though down) indicates the module is loaded. Option D is wrong because an IP address is not required for the bond interface to be operationally 'UP'; a bond can be up without an IP address, and the issue here is that the bond is down, not that it lacks an IP.

217
MCQhard

After upgrading the kernel on a Red Hat Enterprise Linux system, the system fails to boot because the initramfs is missing. Which command can be used to regenerate the initramfs?

A.dracut -f
B.mkinitrd -f
C.grub2-mkconfig -o /boot/grub2/grub.cfg
D.mkinitramfs -o /boot/initrd.img
AnswerA

dracut -f regenerates the initramfs image.

Why this answer

On Red Hat Enterprise Linux (RHEL) systems, the `dracut` utility is the standard tool for creating and regenerating initial RAM filesystem images (initramfs). The `-f` (force) option overwrites an existing initramfs file, which is necessary after a kernel upgrade to ensure the new kernel has the correct drivers and modules to mount the root filesystem during boot. Without a valid initramfs, the kernel cannot access the root filesystem, causing a boot failure.

Exam trap

The trap here is that candidates often confuse the initramfs regeneration command with the bootloader configuration update command (`grub2-mkconfig`), or they mistakenly apply a Debian/Ubuntu command (`mkinitramfs`) to a RHEL system, not realizing that `dracut` is the correct tool for Red Hat-based distributions.

How to eliminate wrong answers

Option B is wrong because `mkinitrd` is a legacy tool that was used on older RHEL versions (RHEL 5 and earlier) and is not the current standard; on modern RHEL systems, `mkinitrd` is typically a wrapper script that calls `dracut`, but using it directly with `-f` is not the recommended or primary command. Option C is wrong because `grub2-mkconfig` regenerates the GRUB2 bootloader configuration file (`/boot/grub2/grub.cfg`), not the initramfs; it updates the boot menu but does not create or modify the initial RAM disk. Option D is wrong because `mkinitramfs` is a Debian/Ubuntu-specific command used to generate initramfs images; it is not available or appropriate on RHEL systems, which use `dracut`.

218
MCQeasy

Which directive in dhcpd.conf sets the maximum lease time?

A.option lease-time
B.default-lease-time
C.lease-time
D.max-lease-time
AnswerD

Correct directive for maximum lease time.

Why this answer

Option D is correct because the `max-lease-time` directive in `dhcpd.conf` explicitly sets the maximum lease time (in seconds) that the DHCP server will assign to a client, overriding any client request for a longer lease. This ensures the server enforces an upper bound on lease duration, preventing clients from monopolizing IP addresses indefinitely.

Exam trap

The trap here is that candidates often confuse `default-lease-time` (the fallback when no client request is made) with `max-lease-time` (the absolute ceiling), or assume that lease time is set via an `option` statement similar to other DHCP options like `option subnet-mask`.

How to eliminate wrong answers

Option A is wrong because `option lease-time` is not a valid directive in `dhcpd.conf`; the correct syntax uses `max-lease-time` and `default-lease-time` as top-level parameters, not as options within an `option` statement. Option B is wrong because `default-lease-time` sets the lease time used when the client does not request a specific lease time, not the maximum allowed lease time. Option C is wrong because `lease-time` is not a recognized directive in the ISC DHCP server configuration; the parameter must be explicitly named `max-lease-time` or `default-lease-time`.

219
Multi-Selectmedium

Which TWO tools can be used to configure network interfaces on a Linux system?

Select 2 answers
A.nmcli
B.route
C.ip
D.ifconfig
E.netstat
AnswersA, C

nmcli is the command-line tool for NetworkManager, widely used for network configuration.

Why this answer

A is correct because `nmcli` is the command-line tool for controlling NetworkManager, which is the standard service for managing network interfaces on modern Linux distributions. It allows you to create, modify, and activate or deactivate network connections, making it a primary tool for interface configuration.

Exam trap

The trap here is that candidates often confuse `ifconfig` as a valid configuration tool because of its historical use, but the LPIC-2 exam expects knowledge that it is deprecated and that `ip` and `nmcli` are the correct modern tools.

220
MCQhard

A systems administrator is troubleshooting a server that fails to boot after a kernel upgrade. The boot process hangs at the stage where the kernel attempts to mount the root filesystem. Which of the following is the most likely cause?

A.The root= parameter in the kernel command line points to a non-existent device.
B.The root filesystem is formatted with an unsupported filesystem type.
C.The initrd image is missing from the /boot partition.
D.The GRUB bootloader is not installed on the MBR.
AnswerA

A missing root device causes the kernel to hang while waiting for the device to appear.

Why this answer

When the kernel fails to mount the root filesystem during boot, the most common cause is an incorrect or missing `root=` parameter in the kernel command line. This parameter specifies the device (e.g., `/dev/sda1` or `UUID=...`) that the kernel should mount as the root filesystem; if it points to a non-existent device, the kernel cannot proceed past the mount stage, resulting in a hang or kernel panic.

Exam trap

The trap here is that candidates often confuse a missing initrd (which causes a different error earlier in boot) with a root filesystem mount failure, or they assume an unsupported filesystem type is the issue, but the kernel's behavior at the mount stage specifically points to a missing or misconfigured root device parameter.

How to eliminate wrong answers

Option B is wrong because if the root filesystem were formatted with an unsupported filesystem type, the kernel would typically emit a specific error message (e.g., 'VFS: Cannot open root device') and drop to a kernel panic, not simply hang at the mount stage; modern kernels include drivers for common filesystems like ext4, so this is rare. Option C is wrong because a missing initrd image would cause the kernel to fail to load necessary drivers or modules early in boot, but the boot process would usually halt earlier with a 'No init found' or similar error, not specifically at the root mount stage. Option D is wrong because if GRUB were not installed on the MBR, the system would not even start the bootloader; the boot process would fail before the kernel is loaded, not during the kernel's attempt to mount the root filesystem.

221
MCQhard

A Linux client is configured with two network interfaces: eth0 (connected to the internet) and eth1 (connected to a private LAN). The default route is set to eth0. The client can access the internet but cannot access hosts on the private LAN. What is the most likely cause?

A.A firewall on the client is blocking ICMP packets on eth1.
B.The eth1 interface is not configured with an IP address.
C.The eth1 interface is not receiving a DHCP lease.
D.There is no route to the private subnet via eth1.
AnswerD

Without a specific route, traffic to the private subnet may be sent to the default gateway (eth0) and fail.

Why this answer

Option D is correct because without a route to the private subnet via eth1, the client has no way to forward packets destined for the private LAN out of eth1. The default route via eth0 only handles traffic for destinations not explicitly matched by other routes; if the private subnet is not in the routing table, packets to that subnet will be sent to the default gateway (internet) and fail. The `ip route` command would show the missing entry, and adding a static route (e.g., `ip route add 192.168.1.0/24 dev eth1`) resolves the issue.

Exam trap

The trap here is that candidates often assume a missing IP address or DHCP lease is the cause, but the question explicitly states the client has two configured interfaces—the real issue is the absence of a route to the private subnet, which is a classic LPIC-2 routing table pitfall.

How to eliminate wrong answers

Option A is wrong because a firewall blocking ICMP on eth1 would prevent ping responses but not necessarily all TCP/UDP traffic to hosts on the private LAN; the question states the client cannot access hosts at all, which points to a routing issue, not a firewall rule. Option B is wrong because if eth1 had no IP address, the interface would not be up or operational, but the scenario implies the interface exists and is configured (otherwise the client would not even attempt to use it); the problem is specifically about missing routing, not missing IP configuration. Option C is wrong because DHCP is not required for a private LAN; static IP configuration is common, and the absence of a DHCP lease would not prevent manual IP assignment or routing—the core issue remains the missing route.

222
MCQeasy

Which Samba component provides NetBIOS name resolution and browsing services?

A.swat
B.smbd
C.nmbd
D.winbind
AnswerC

nmbd handles NetBIOS name services and browsing.

Why this answer

The nmbd daemon is the Samba component responsible for NetBIOS name resolution and browsing services. It listens for NetBIOS name service requests (port 137/UDP) and datagram distribution (port 138/UDP), enabling Windows clients to resolve NetBIOS names to IP addresses and participate in network browsing (e.g., listing shares in Network Neighborhood). Without nmbd, Samba cannot provide legacy NetBIOS-based name resolution or browse lists, though modern Samba can also use DNS-based discovery.

Exam trap

The trap here is that candidates often confuse smbd (the core file-sharing daemon) with nmbd, assuming that file sharing inherently includes name resolution, but in Samba these are separate daemons with distinct roles.

How to eliminate wrong answers

Option A is wrong because swat (Samba Web Administration Tool) is a web-based configuration interface for editing smb.conf, not a daemon that provides NetBIOS name resolution or browsing. Option B is wrong because smbd handles file and print sharing services (SMB/CIFS protocol) and authentication, but does not perform NetBIOS name resolution or browsing. Option D is wrong because winbind is a component that integrates Samba with Windows domain authentication (e.g., resolving user/group IDs from Active Directory), not NetBIOS name resolution or browsing.

223
MCQmedium

A user needs to run a specific command as root without being prompted for a password. The command is /usr/bin/systemctl restart apache2. Which sudoers rule accomplishes this securely?

A.user ALL=(root) /usr/bin/systemctl restart apache2
B.user ALL=(root) NOPASSWD: ALL
C.user ALL=(root) NOPASSWD:: /usr/bin/systemctl restart apache2
D.user ALL=(root) NOPASSWD: /usr/bin/systemctl restart apache2
AnswerD

The NOPASSWD tag allows running the specific command without a password.

Why this answer

Option C is correct because it allows the user to run only that specific command without a password, using NOPASSWD. Option A is wrong because it requires a password. Option B is wrong because it allows any command.

Option D is wrong because the syntax is incorrect (should be NOPASSWD: not NOPASSWD::).

224
MCQmedium

During boot, the kernel panics with 'VFS: Unable to mount root fs on unknown-block(0,0)'. Which of the following is the most likely cause?

A.The kernel lacks the driver for the storage controller.
B.The kernel image is corrupted.
C.The init process is missing.
D.The root filesystem is formatted with an unsupported filesystem.
AnswerA

Missing driver prevents accessing the root filesystem.

Why this answer

The error 'VFS: Unable to mount root fs on unknown-block(0,0)' indicates the kernel cannot find a driver for the block device containing the root filesystem. This most commonly occurs when the kernel lacks the necessary storage controller driver (e.g., for SATA, NVMe, or SCSI controllers), often because the driver was built as a module and not included in the initramfs or compiled into the kernel.

Exam trap

The trap here is that candidates confuse a missing init process (which occurs after mounting) with a missing storage driver (which prevents mounting entirely), leading them to select option C when the error clearly indicates the root device itself is unrecognized.

How to eliminate wrong answers

Option B is wrong because a corrupted kernel image would typically cause a different error, such as a panic during decompression or an 'Invalid or corrupt kernel image' message, not a VFS mount failure on a specific block device. Option C is wrong because a missing init process would result in a 'Kernel panic - not syncing: No init found' error after the root filesystem is successfully mounted, not a failure to mount the root filesystem itself. Option D is wrong because an unsupported filesystem would produce an error like 'VFS: Cannot open root device' or 'unknown filesystem type', but the block device would still be recognized (e.g., 'unknown-block(8,1)'), not 'unknown-block(0,0)' which indicates no driver claimed the device.

225
Multi-Selecthard

Which THREE conditions must be met for an SSH key-based login to succeed using the default settings on a OpenSSH server? (Choose three.)

Select 3 answers
A.The ~/.ssh directory on the remote server has permissions 0700
B.The remote server has the public key appended to ~/.ssh/authorized_keys
C.The remote server has the host key /etc/ssh/ssh_host_rsa_key
D.The client has the server's public host key stored in ~/.ssh/known_hosts
E.The client has the private key in ~/.ssh/id_rsa
AnswersA, B, E

SSH requires strict permissions on .ssh directory.

Why this answer

Options A, B, and E are correct. The private key must be on the client (usually in ~/.ssh/id_rsa). The public key must be in the remote user's ~/.ssh/authorized_keys.

The permissions of the remote ~/.ssh directory must be 0700. Option C is wrong because the server's /etc/ssh/ssh_host_rsa_key is the host key, not user key. Option D is wrong because the server's configuration is not directly related to user key path if PasswordAuthentication is yes? Actually the question asks 'default settings', and default OpenSSH server allows public key auth.

The client does not need to store the host key manually; it's verified on first connect. So D is not a condition for login success.

Page 2

Page 3 of 7

Page 4

All pages