Linux Professional Institute Certification Level 2 LPIC-2 (LPIC-2) — Questions 226300

511 questions total · 7pages · All types, answers revealed

Page 3

Page 4 of 7

Page 5
226
MCQmedium

An organization runs a Samba server in standalone mode. They want to allow anonymous (guest) access to a public share. Which configuration option enables guest access for a share?

A.anonymous = yes
B.security = share
C.guest account = nobody
D.map to guest = Bad User and guest ok = yes
AnswerD

This maps unknown users to the guest account and allows guest access.

Why this answer

Option D is correct because Samba requires both `map to guest = Bad User` (which tells Samba to treat any connection attempt with an invalid username as a guest connection) and `guest ok = yes` (which explicitly permits guest access to the share). Without both, anonymous access will be denied. The `map to guest` directive can also be set to `Bad Password` or `Never`, but `Bad User` is the typical choice for public shares.

Exam trap

The trap here is that candidates often think `security = share` or `guest account = nobody` alone enables guest access, but Samba requires both the global `map to guest` directive and the per‑share `guest ok = yes` to actually allow anonymous connections.

How to eliminate wrong answers

Option A is wrong because `anonymous = yes` is not a valid Samba configuration parameter; Samba uses `guest ok` and `map to guest` instead. Option B is wrong because `security = share` was a legacy Samba security mode (removed in Samba 4.x) that allowed per-share password authentication but did not itself enable guest access; modern Samba uses `security = user` or `security = ads`. Option C is wrong because `guest account = nobody` only specifies which Unix account is used for guest privileges (default is `nobody`), but it does not enable guest access; the share must also have `guest ok = yes` and the global `map to guest` setting must be configured.

227
Drag & Dropmedium

Order the steps to configure a Linux system to send system logs to a remote syslog server.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

Edit config, add destination, restart, generate test log, verify on remote.

228
MCQeasy

Which systemd target is equivalent to the traditional SysV runlevel 3 (multi-user text mode)?

A.rescue.target
B.graphical.target
C.multi-user.target
D.emergency.target
AnswerC

This target provides a multi-user, non-graphical environment.

Why this answer

The correct answer is C because in systemd, multi-user.target is the direct equivalent of SysV runlevel 3, which provides a multi-user text-mode environment without a graphical desktop. This target starts all essential system services and network support but does not launch a display manager, making it the standard for headless servers and maintenance.

Exam trap

The trap here is that candidates often confuse rescue.target (runlevel 1) with multi-user.target (runlevel 3) because both lack a GUI, but rescue.target is for single-user recovery with minimal services, not for normal multi-user text-mode operation.

How to eliminate wrong answers

Option A is wrong because rescue.target is equivalent to SysV runlevel 1 (single-user mode) and is used for emergency system recovery with minimal services, not for normal multi-user text operation. Option B is wrong because graphical.target is equivalent to SysV runlevel 5, which adds a graphical login manager (e.g., GDM, LightDM) on top of multi-user.target, not the text-only runlevel 3. Option D is wrong because emergency.target is an even more minimal state than rescue.target, starting only a root shell on the console with no network or other services, and has no direct SysV runlevel equivalent.

229
MCQhard

A company has a Samba server configured as a domain member in an Active Directory domain. The server runs Samba 4.13. Recently, Windows clients have been unable to access shares, and the domain join seems broken. The administrator runs 'net ads testjoin' and gets 'Join to domain is not valid'. The smb.conf includes: security = ads, realm = EXAMPLE.COM, workgroup = EXAMPLE. The administrator can successfully resolve the domain controller via DNS. What should the administrator do to fix the issue?

A.Re-run 'net ads join -U administrator' to rejoin the domain.
B.Restart the winbind service and run 'wbinfo -t'.
C.Add 'kerberos method = secrets and keytab' to smb.conf.
D.Increase the 'log level' to 3 and restart smbd.
AnswerA

This re-establishes the domain membership.

Why this answer

The 'net ads testjoin' command returned 'Join to domain is not valid', which indicates the machine account password stored in the local secrets.tdb file no longer matches the one in Active Directory. Re-running 'net ads join -U administrator' re-establishes the secure channel by resetting the machine account password and updating the Kerberos keytab, restoring the domain membership.

Exam trap

The trap here is that candidates often confuse a broken domain join with a simple service restart or trust test, but the 'Join to domain is not valid' error specifically indicates the machine account credentials are invalid and require a fresh join.

How to eliminate wrong answers

Option B is wrong because restarting winbind and running 'wbinfo -t' only tests the trust relationship with the domain controller but does not repair a broken machine account password; it would still fail if the join is invalid. Option C is wrong because 'kerberos method = secrets and keytab' is the default behavior in Samba 4.13 and adding it explicitly does not fix a corrupted machine account; the issue is not a missing Kerberos method configuration. Option D is wrong because increasing the log level and restarting smbd only provides more verbose logging for debugging but does not resolve the underlying broken domain join; it is a diagnostic step, not a fix.

230
MCQmedium

A system administrator needs to ensure that all users must change their passwords every 90 days and that passwords must be at least 12 characters long. The administrator modifies /etc/login.defs and /etc/pam.d/common-password. Which additional step is required to enforce these settings for existing users?

A.Run 'chage -M 90' for each existing user
B.Run 'passwd -x 90' for each existing user
C.Run 'pwconv' to synchronize password aging
D.Run 'pwunconv' then 'pwconv' to update shadow file
AnswerA

chage modifies password aging for existing users.

Why this answer

Modifying /etc/login.defs sets default password aging parameters for new users, and /etc/pam.d/common-password enforces password length via pam_pwquality. However, these changes do not retroactively apply to existing users. The chage command modifies the /etc/shadow file directly, and running 'chage -M 90' for each existing user sets their maximum password age to 90 days, enforcing the policy.

Exam trap

The trap here is that candidates assume modifying /etc/login.defs applies retroactively to existing users, but it only affects future user creations, so a per-user command like chage is required to enforce the policy on current accounts.

How to eliminate wrong answers

Option B is wrong because 'passwd -x 90' sets the maximum password age for a user, but it only affects the /etc/shadow entry for that user; however, the correct command for this purpose is 'chage -M', and 'passwd -x' is a less common and less portable alternative that is not the standard LPIC-2 recommended method. Option C is wrong because 'pwconv' synchronizes the /etc/passwd and /etc/shadow files, ensuring shadow passwords are in use, but it does not set or modify password aging values. Option D is wrong because 'pwunconv' then 'pwconv' would convert shadow passwords back to /etc/passwd and then back again, which could disrupt password aging fields and is unnecessary; it does not enforce the 90-day aging requirement.

231
Multi-Selectmedium

Which TWO of the following are valid ways to map a Windows user to a Linux account in Samba?

Select 2 answers
A.Using a 'username map' file specified by the 'username map' parameter
B.Using 'force user' in the share definition
C.Using the 'map user' command in smbpasswd
D.Setting 'winbind use default domain = yes'
E.Using the 'valid users' directive in smb.conf
AnswersA, B

Maps Windows usernames to Linux usernames

Why this answer

Option A is correct because the 'username map' parameter in smb.conf specifies a file (e.g., /etc/samba/smbusers) that maps Windows usernames to Linux usernames. This allows Samba to translate incoming Windows user credentials to a corresponding Linux account for authentication and file access.

Exam trap

The trap here is that candidates confuse 'force user' (which overrides the authenticated user for file operations) with a mapping mechanism, when in fact it does not map Windows users to Linux accounts but instead forces all connections to run as a specific Linux user.

232
MCQeasy

A web administrator has installed Apache httpd 2.4 on a Linux server. The default configuration serves files from /var/www/html. When accessing http://server/, the browser shows a directory listing of /var/www/html instead of the index.html file that exists in that directory. The administrator confirms that the user has read permissions on the file and that the file is named index.html. Which directive is most likely missing from the Apache configuration?

A.IndexOptions FancyIndexing
B.DirectoryIndex index.html
C.Options -Indexes
D.Require all granted
AnswerB

Explicitly sets the file to serve when a directory is requested.

Why this answer

The DirectoryIndex directive specifies which file Apache should serve when a client requests a directory (e.g., /). Without it, or if it does not list index.html, Apache falls back to generating a directory listing (if Options +Indexes is enabled) or returns a 403 Forbidden. Since the default configuration for Apache 2.4 includes Options +Indexes and DirectoryIndex index.html, the most likely cause is that the DirectoryIndex directive was removed or overridden in a context (e.g., a <Directory> block) and no longer includes index.html, causing Apache to ignore the file and show the directory listing instead.

Exam trap

The trap here is that candidates often confuse Options +Indexes (which enables directory listings) with the DirectoryIndex directive (which specifies which file to serve instead), leading them to incorrectly choose Options -Indexes as the fix when the real issue is a missing or misconfigured DirectoryIndex.

How to eliminate wrong answers

Option A is wrong because IndexOptions FancyIndexing controls the formatting of directory listings (e.g., icons, column sorting) but does not enable or disable directory listings themselves; it would not cause a directory listing to appear when an index file exists. Option C is wrong because Options -Indexes would disable directory listings entirely, resulting in a 403 Forbidden error, not a directory listing; the problem states a directory listing is shown, so Indexes must be enabled. Option D is wrong because Require all granted controls access permissions (authorization) and would either allow or deny access to the directory; it does not affect whether Apache serves an index file or shows a directory listing.

233
Matchingmedium

Match each network service to its purpose.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Assigns IP addresses and network configuration automatically

Resolves hostnames to IP addresses

Synchronizes system time over a network

Provides directory services for authentication and authorization

Caching proxy for HTTP, HTTPS, and FTP

Why these pairings

These services are commonly managed in LPIC-2.

234
Multi-Selecthard

Which TWO steps are required to enable IP forwarding on a Linux system permanently?

Select 2 answers
A.Add net.ipv4.ip_forward=1 to /etc/sysctl.conf
B.echo 1 > /proc/sys/net/ipv4/ip_forward
C.sysctl --system
D.sysctl -w net.ipv4.ip_forward=1
E.iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
AnswersA, C

Persists configuration to be loaded at boot.

Why this answer

Option A is correct because adding `net.ipv4.ip_forward=1` to `/etc/sysctl.conf` makes the change persistent across reboots. Option C is correct because running `sysctl --system` loads settings from all sysctl configuration files (including `/etc/sysctl.conf`) without requiring a reboot, applying the change immediately and permanently. Together, these two steps ensure IP forwarding is enabled both now and after system restart.

Exam trap

The trap here is that candidates often confuse runtime-only commands (like `echo 1 > /proc/sys/...` or `sysctl -w`) with permanent configuration, forgetting that persistence requires writing to a configuration file such as `/etc/sysctl.conf` or `/etc/sysctl.d/`.

235
MCQmedium

An administrator runs the command shown. However, when a user tries to execute a binary from /mnt/tmp, it fails with 'Permission denied'. What is the most likely cause?

A.The noexec mount option prevents execution.
B.The binary is not executable.
C.The tmpfs filesystem does not support execution.
D.The nosuid option prevents setuid binaries.
AnswerA

noexec explicitly disallows execution.

Why this answer

The `noexec` mount option explicitly prevents execution of any binaries on the filesystem, regardless of their permission bits. When a filesystem is mounted with `noexec`, the kernel will refuse to execute any file on that mount point, returning 'Permission denied' even if the file has execute permissions set. This is the most likely cause because the administrator's command likely mounted `/mnt/tmp` with `noexec` (e.g., via `mount -o noexec` or a default mount option).

Exam trap

The trap here is that candidates often focus on file permissions (Option B) or filesystem type (Option C) without considering mount options, which override lower-level permissions and are a frequent LPIC-2 exam topic.

How to eliminate wrong answers

Option B is wrong because if the binary were not executable, the error would typically be 'Permission denied' only if the user lacks execute permission on the file itself, but the question states the user tries to execute a binary from /mnt/tmp, implying the binary exists and has execute bits set; the noexec mount option overrides file permissions. Option C is wrong because tmpfs does support execution by default; it is a RAM-based filesystem that can execute binaries unless explicitly mounted with noexec. Option D is wrong because the nosuid option only prevents setuid/setgid bits from taking effect, not regular execution; a binary without setuid would still run.

236
Multi-Selecteasy

Which TWO authentication modules can be used with PAM to integrate LDAP authentication on a Linux client?

Select 2 answers
A.pam_unix
B.pam_krb5
C.pam_radius
D.pam_tally2
E.pam_ldap
AnswersB, E

pam_krb5 can be used for Kerberos authentication, often with LDAP.

Why this answer

Option B (pam_krb5) is correct because it allows PAM to authenticate users against a Kerberos KDC, which is commonly used alongside LDAP for single sign-on in enterprise environments. Option E (pam_ldap) is correct because it directly enables PAM to bind to an LDAP directory server for user authentication, typically using the LDAP BIND operation. Both modules are standard choices for integrating LDAP authentication on a Linux client.

Exam trap

The trap here is that candidates may confuse pam_ldap with pam_unix or think pam_radius can be used for LDAP, but the exam expects knowledge of the specific PAM modules designed for directory services and Kerberos integration.

237
MCQmedium

A system administrator notices that a Linux client is unable to resolve hostnames after connecting to a new network. The client uses DHCP and the /etc/resolv.conf file contains only the loopback address 127.0.0.1. Which of the following is the most likely cause?

A.The DHCP server did not provide DNS server information.
B.The /etc/resolv.conf file is a symbolic link to /run/NetworkManager/resolv.conf.
C.The client is configured to use a local DNS resolver such as systemd-resolved or dnsmasq.
D.The /etc/resolv.conf file is not being updated by the DHCP client.
AnswerC

This is correct because local resolvers often set 127.0.0.1 as the nameserver and then forward queries. If the local resolver is misconfigured or not running, resolution fails.

Why this answer

Option C is correct because when /etc/resolv.conf contains only 127.0.0.1, it typically indicates that a local DNS resolver (like systemd-resolved or dnsmasq) is running on the client. These resolvers bind to the loopback address and handle DNS queries locally, often forwarding them to upstream servers provided by DHCP. The client can still resolve hostnames if the local resolver is properly configured to use the DHCP-supplied DNS servers, so the presence of 127.0.0.1 alone does not imply a failure.

Exam trap

The trap here is that candidates assume 127.0.0.1 in /etc/resolv.conf always indicates a misconfiguration or DHCP failure, when in fact it is a deliberate design of local DNS resolvers like systemd-resolved or dnsmasq that proxy queries to upstream servers.

How to eliminate wrong answers

Option A is wrong because if the DHCP server did not provide DNS server information, the /etc/resolv.conf file would likely be empty or contain only default entries, not specifically the loopback address 127.0.0.1. Option B is wrong because a symbolic link to /run/NetworkManager/resolv.conf does not inherently cause the file to contain only 127.0.0.1; NetworkManager typically writes the actual DNS servers obtained via DHCP, not just the loopback address. Option D is wrong because the DHCP client (e.g., dhclient) does update /etc/resolv.conf by default unless explicitly configured not to; the presence of 127.0.0.1 suggests a local resolver is intentionally intercepting DNS, not that the update mechanism is broken.

238
MCQmedium

A client reports that the [public] share is visible but all files appear read-only. What is the cause?

A.The create mask = 0755 denies write permissions.
B.The read only = yes parameter forces read-only access.
C.The guest account nobody has no write permission on the file system.
D.The map to guest = Bad User is causing all users to be treated as guest.
AnswerB

Setting read only = yes makes the share read-only regardless of other permissions.

Why this answer

Option B is correct because the `read only = yes` parameter in a Samba share definition explicitly forces all files to appear read-only to clients, regardless of underlying filesystem permissions. This overrides any other permission settings and is the direct cause of the reported behavior where the share is visible but all files are read-only.

Exam trap

The trap here is that candidates often confuse filesystem permissions (like write bits or ACLs) with Samba share-level parameters, assuming that if the guest account lacks write permission, files would appear read-only, when in fact Samba reports the read-only status based on the `read only` parameter, not the guest account's filesystem rights.

How to eliminate wrong answers

Option A is wrong because `create mask = 0755` sets the maximum allowed permissions for newly created files, but it does not prevent write access to existing files; it only affects the default permissions assigned when a file is created, and a mask of 0755 still allows the owner to write. Option C is wrong because the guest account `nobody` lacking write permission on the filesystem would cause write failures, but the symptom described is that files appear read-only (i.e., the client sees them as read-only), which is a Samba-level setting, not a filesystem permission issue. Option D is wrong because `map to guest = Bad User` causes authentication failures to map users to the guest account, but it does not force read-only access; it only affects user identity, not the read-only attribute of files.

239
Multi-Selecteasy

Which TWO statements about the /etc/hosts file are true?

Select 2 answers
A.It can contain a line like '127.0.0.1 localhost'.
B.It is used to resolve hostnames to IP addresses.
C.It configures the DNS servers to use.
D.It is consulted after DNS by default.
E.It can define aliases for network interfaces.
AnswersA, B

Common entry for loopback.

Why this answer

Option A is correct because the /etc/hosts file maps hostnames to IP addresses, and the line '127.0.0.1 localhost' is the standard entry for the IPv4 loopback interface. This file is consulted by the system's resolver library before DNS queries are made, allowing local overrides for hostname resolution.

Exam trap

The trap here is that candidates often assume /etc/hosts is consulted after DNS due to its static nature, but the default NSS order places it before DNS, and the file does not configure DNS servers or network interface aliases.

240
MCQeasy

An administrator needs to create an ext4 filesystem on /dev/sdb1 with a block size of 4096 bytes and reserve 2% of blocks for root. Which command accomplishes this?

A.mkfs.ext4 --block-size 4096 -m 2 /dev/sdb1
B.mkfs.ext4 -B 4096 -m 2 /dev/sdb1
C.mkfs.ext4 -b 4096 -m 2 /dev/sdb1
D.mkfs.ext4 -b 4096 -M 2 /dev/sdb1
AnswerC

-b sets block size to 4096 bytes; -m sets reserved percentage to 2.

Why this answer

Option C is correct because mkfs.ext4 uses the `-b` option to specify the block size in bytes (4096) and `-m` to set the reserved blocks percentage for root (2%). The `-b` flag is the standard short form for block size in the mke2fs family of tools, and `-m` accepts a percentage value directly.

Exam trap

The trap here is that candidates confuse the `-b` (block size) and `-m` (reserved blocks percentage) flags with similar-looking but incorrect flags like `-B` or `-M`, or mistakenly use long options like `--block-size` without verifying the exact syntax supported by mkfs.ext4.

How to eliminate wrong answers

Option A is wrong because `--block-size` is not a valid long option for mkfs.ext4; the correct long option is `--block-size` but the short form `-b` is required here, and the double-dash syntax is incorrect for this command. Option B is wrong because `-B` is not a valid flag for mkfs.ext4; the uppercase `-B` is used by some other filesystem tools (e.g., mkfs.xfs) but not for ext4, where block size is set with lowercase `-b`. Option D is wrong because `-M` is not a valid flag for mkfs.ext4; the correct flag to set reserved block percentage is lowercase `-m`, and `-M` is unrecognized and would cause an error.

241
Multi-Selectmedium

Which TWO commands can be used to display the current iptables rules for the filter table?

Select 2 answers
A.iptables -L
B.iptables -S
C.iptables -t filter -L
D.iptables -t nat -L
E.iptables -t mangle -L
AnswersA, C

Lists rules in the filter table by default.

Why this answer

Option A is correct because `iptables -L` lists the current rules in the default filter table without needing to specify the table explicitly. Option C is correct because `iptables -t filter -L` explicitly selects the filter table and lists its rules, which is functionally equivalent to the default behavior of `iptables -L`.

Exam trap

The trap here is that candidates may confuse `-S` (which outputs rules in a format suitable for saving/restoring) with `-L` (which displays the rules in a readable list), or forget that `-t filter` is the default and assume only `-t filter -L` works.

242
Multi-Selecthard

Which TWO statements are true regarding BIND DNS server security? (Choose two.)

Select 2 answers
A.The 'allow-transfer' ACL is used to restrict which clients can perform recursive queries.
B.The 'allow-recursion' ACL can be used to restrict which clients can use the server's recursive lookup feature.
C.The 'blackhole' ACL can be used to prevent cache poisoning attacks.
D.The 'forwarders' option can be used to disable recursion entirely.
E.The 'allow-query' ACL can be used to restrict which clients can send DNS queries to the server.
AnswersB, E

allow-recursion limits recursive queries to specific clients.

Why this answer

Option B is correct because the 'allow-recursion' ACL in BIND explicitly controls which clients are permitted to use the server's recursive query feature. By restricting recursion to trusted clients, the server avoids being used in amplification attacks and reduces exposure to cache poisoning. This ACL is defined in the options block or per-zone and can reference address match lists or named ACLs.

Exam trap

The trap here is confusing the purpose of 'allow-transfer' (zone transfer restriction) with recursion control, and assuming 'forwarders' disables recursion when it actually just redirects queries to another resolver.

243
MCQhard

A Linux router is experiencing packet loss for connections that should be forwarded. The router's IP forwarding is enabled, and the routing table is correct. Which kernel parameter is most likely causing the issue?

A.net.ipv4.conf.all.rp_filter
B.net.ipv4.conf.all.log_martians
C.net.ipv4.conf.all.accept_redirects
D.net.ipv4.ip_forward
AnswerA

When set to 1 (strict) or 2 (loose), rp_filter can drop packets if the source IP is not reachable via the incoming interface, causing loss in complex routing scenarios.

Why this answer

The `net.ipv4.conf.all.rp_filter` parameter enables Reverse Path Filtering (RPF), which drops packets arriving on an interface if the kernel does not have a route back to the source IP via that same interface. On a router forwarding traffic between networks, strict RPF can cause packet loss when asymmetric routing is present, even though IP forwarding and the routing table are correct.

Exam trap

The trap here is that candidates often assume packet loss must be due to IP forwarding being disabled or a routing table error, overlooking that Reverse Path Filtering can drop packets even when forwarding and routes are correct.

How to eliminate wrong answers

Option B is wrong because `net.ipv4.conf.all.log_martians` only logs packets with invalid source addresses (martians) to the kernel log; it does not cause packet loss. Option C is wrong because `net.ipv4.conf.all.accept_redirects` controls whether the router accepts ICMP redirect messages, which affects route updates, not the forwarding of packets themselves. Option D is wrong because `net.ipv4.ip_forward` is explicitly stated as enabled in the question, so it cannot be the cause of the packet loss.

244
Matchingmedium

Match each NFS version to its feature.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Stateless protocol with 64-bit file handles

Stateful protocol with integrated locking and security

Adds parallel NFS (pNFS) for scalability

Adds server-side copy and sparse file support

Uses Remote Direct Memory Access for low latency

Why these pairings

NFS versions have evolved to improve performance and features.

245
MCQeasy

A system administrator needs to find out which kernel parameters were passed at boot time. Which command displays the kernel boot parameters?

A.cat /proc/cmdline
B.dmesg
C.lsmod
D.cat /proc/version
AnswerA

/proc/cmdline contains the boot parameters.

Why this answer

The correct command is `cat /proc/cmdline` because the Linux kernel stores the boot parameters (also known as the kernel command line) passed by the bootloader (e.g., GRUB) in the virtual file `/proc/cmdline`. Reading this file directly displays the exact parameters used during boot, such as `root=`, `quiet`, or `splash`.

Exam trap

The trap here is that candidates confuse `dmesg` (which shows boot messages) with the direct kernel command line, or assume `lsmod` or `/proc/version` might contain boot parameters, when only `/proc/cmdline` provides the exact boot-time arguments.

How to eliminate wrong answers

Option B is wrong because `dmesg` displays kernel ring buffer messages, which include boot logs and driver output, but not the raw kernel command line parameters in a direct, unparsed form. Option C is wrong because `lsmod` lists currently loaded kernel modules, not boot parameters. Option D is wrong because `cat /proc/version` shows the Linux kernel version string and compiler information, not the boot-time command-line arguments.

246
MCQeasy

A Samba share is intended for guest (anonymous) access. Which global parameter must be set to allow this?

A.guest account = nobody
B.security = share
C.map to guest = Bad User
D.security = user
AnswerC

Maps unknown users to the guest account.

Why this answer

Option C is correct because the `map to guest = Bad User` parameter in Samba's global configuration forces any connection attempt with an invalid or non-existent username to be treated as a guest (anonymous) login. This is the standard way to allow anonymous access to shares while still using `security = user` (the default in modern Samba), as it maps failed authentication to the guest account.

Exam trap

The trap here is that candidates often confuse the deprecated `security = share` (which was removed in Samba 4.x) with the correct modern approach, or they think setting `guest account = nobody` alone is sufficient to enable anonymous access, when in fact `map to guest` is the key parameter that controls the mapping of failed logins to guest sessions.

How to eliminate wrong answers

Option A is wrong because `guest account = nobody` only specifies which Unix user account is used for guest privileges; it does not enable anonymous access by itself—the `map to guest` parameter must also be set. Option B is wrong because `security = share` is a deprecated Samba security mode that was removed in Samba 4.x; modern Samba requires `security = user` and uses `map to guest` to handle anonymous access. Option D is wrong because `security = user` alone requires valid credentials for every connection and does not permit anonymous access; it must be combined with `map to guest` to allow guest logins.

247
MCQeasy

A small office uses a Samba server for file sharing. The server is running Samba 4.9 on Ubuntu 18.04. Recently, the administrator added a new user 'john' to the system and added him to the 'staff' group. However, when John tries to access the share 'docs' from his Windows laptop, he gets an 'Access Denied' error. The share configuration is: [docs] path = /srv/docs valid users = @staff read only = No create mask = 0644 directory mask = 0755 The administrator verifies that John is a member of the staff group by running 'groups john' which shows staff. Other users in staff can access the share. What is the most likely cause?

A.The create mask is too restrictive for John's files.
B.The valid users parameter requires the group to be listed with a plus sign for domain groups.
C.John's Windows credentials are cached from a previous failed attempt.
D.The Samba service needs to be restarted to reload the group membership.
AnswerC

Cached credentials can cause access denied; clearing them resolves the issue.

Why this answer

Option C is correct because Samba caches user credentials and group memberships at the time of the initial connection. When John first attempted to access the share, Samba cached his credentials (including group membership) before he was added to the staff group. Even though the system now shows John as a member of staff, Samba continues to use the cached credentials, resulting in 'Access Denied'.

Clearing the cached credentials on the Windows client (e.g., via 'net use * /delete' or Credential Manager) forces a fresh authentication and group lookup.

Exam trap

The trap here is that candidates often assume Samba must be restarted or that the share configuration is incorrect, when in fact the issue is client-side credential caching—a subtle but critical detail in Samba troubleshooting.

How to eliminate wrong answers

Option A is wrong because the create mask (0644) only affects the permissions of newly created files, not the ability to access the share; John cannot even connect to the share, so file permissions are irrelevant. Option B is wrong because in Samba, the 'valid users = @staff' syntax correctly references a local Unix group; a plus sign (+) is used for domain groups in certain Samba configurations (e.g., with 'security = ads'), but this is a local group on a standalone server. Option D is wrong because Samba does not need to be restarted to reload group memberships; Samba checks group membership via the system's NSS (Name Service Switch) at authentication time, but the cached credentials on the client side override this.

248
MCQhard

Samba is integrated with Active Directory using security = ads. Which service is required for Kerberos authentication?

A.smbd
B.winbindd
C.samba
D.nmbd
AnswerA

smbd handles Kerberos authentication via GSSAPI.

Why this answer

When Samba is integrated with Active Directory using `security = ads`, Kerberos authentication is handled by the `smbd` daemon. `smbd` is responsible for authenticating incoming SMB connections, and in an AD domain it uses the Kerberos protocol (via the GSSAPI) to validate tickets presented by clients. Without `smbd`, no Kerberos-based authentication can occur for SMB/CIFS services.

Exam trap

The trap here is that candidates often confuse winbindd (which handles identity mapping) with the actual authentication daemon, or assume the generic 'samba' service is a single binary that handles everything, when in fact smbd is the specific daemon for Kerberos-based SMB authentication.

How to eliminate wrong answers

Option B (winbindd) is wrong because winbindd resolves user and group identities from AD and provides NSS/WINS lookups, but it does not perform Kerberos authentication itself — it relies on smbd to handle the actual ticket exchange. Option C (samba) is wrong because 'samba' is the umbrella name for the entire suite; the specific daemon that performs Kerberos authentication is smbd, not a generic 'samba' service. Option D (nmbd) is wrong because nmbd handles NetBIOS name resolution and browsing, not Kerberos authentication — it has no role in the Kerberos ticket exchange or AD authentication.

249
MCQmedium

A company runs Samba on a Linux server to provide file shares to Windows clients. The server is also a BIND DNS server. After a recent OS upgrade, the Samba service fails to start with the error: 'Failed to create a listening socket for port 445: Permission denied'. The administrator checks that no other service is using port 445. smbd is configured to start as root. What is the most likely cause?

A.The firewall is blocking the port even though it's internal.
B.The 'socket address' parameter is set to an invalid IP.
C.SELinux is blocking the Samba port.
D.The Samba netbios name is too long.
AnswerC

SELinux policies may prevent binding to port 445; check with 'sealert' or disable SELinux to test.

Why this answer

Option C is correct because SELinux, when enforcing, can block Samba from binding to privileged ports like 445 even when the service runs as root. The error 'Permission denied' on port 445, despite no other service using it and the firewall being open, strongly indicates SELinux is denying the bind. The SELinux boolean 'samba_port_t' or the specific port context must be enabled or relabeled for Samba to bind to port 445.

Exam trap

The trap here is that candidates often assume a 'Permission denied' error on a port must be caused by a firewall or another service already binding the port, overlooking SELinux's mandatory access control which can deny the bind even when the port is free and the process runs as root.

How to eliminate wrong answers

Option A is wrong because the firewall would typically produce a 'connection refused' or timeout error, not a 'Permission denied' on the bind syscall; the error occurs at the socket creation level before any network filtering. Option B is wrong because an invalid 'socket address' parameter would cause a different error (e.g., 'Cannot assign requested address') or a failure to resolve the IP, not a generic 'Permission denied' on port 445. Option D is wrong because a NetBIOS name length (max 15 characters) does not affect socket binding; it would cause a NetBIOS name resolution or registration error, not a port bind failure.

250
MCQhard

An organization is using Samba as a PDC with an LDAP backend for user accounts. Which idmap backend configuration is appropriate for RFC 2307?

A.idmap config * : backend = tdb
B.idmap config * : backend = ad
C.idmap config * : backend = rid
D.idmap config * : backend = ldap
AnswerD

ldap backend stores mapping in LDAP.

Why this answer

When Samba is configured as a PDC with an LDAP backend for user accounts and RFC 2307 is used, the idmap backend must be set to `ldap` to store and retrieve Unix UID/GID mappings directly from the LDAP directory. This ensures that the POSIX attributes (uidNumber, gidNumber) defined in LDAP are used consistently across all Samba clients, which is the core requirement of RFC 2307.

Exam trap

The trap here is that candidates often confuse the `ldap` idmap backend (used for RFC 2307 with a PDC) with the `ad` backend (used for Active Directory domain membership), or incorrectly assume that a local `tdb` or algorithmic `rid` backend can work with a centralized LDAP user store.

How to eliminate wrong answers

Option A is wrong because `tdb` is a local file-based backend that stores ID mappings in a trivial database, which does not integrate with an LDAP directory and cannot provide centralized, RFC 2307-compliant mappings. Option B is wrong because `ad` is designed for Samba as an Active Directory domain member, not as a PDC with an LDAP backend, and it relies on AD-specific attributes rather than RFC 2307 schema. Option C is wrong because `rid` algorithmically generates UIDs/GIDs from the Windows RID, which bypasses the LDAP directory and cannot honor the explicit uidNumber/gidNumber values defined in RFC 2307.

251
Multi-Selectmedium

Which TWO parameters in the [global] section are REQUIRED for a Samba server to act as a standalone server (not a member of a domain)?

Select 2 answers
A.server string
B.workgroup
C.security = user
D.netbios name
E.passdb backend = tdbsam
AnswersB, C

Correct; must be set to define the workgroup.

Why this answer

For a Samba standalone server, the `workgroup` parameter defines the NetBIOS workgroup name that the server will appear in, which is essential for browsing and identification on the local network. The `security = user` parameter is required because it sets the server to authenticate users locally against its own passdb backend, rather than relying on an external domain controller. Without these two, the server cannot function as a standalone unit.

Exam trap

The trap here is that candidates often think `passdb backend` must be explicitly set (like `tdbsam`) or that `netbios name` is mandatory, but Samba's defaults handle these, while `workgroup` and `security = user` are the true non-negotiable parameters for standalone operation.

252
MCQmedium

Hosts connected to eth1 cannot communicate with hosts on eth0. Based on the exhibit, what is the most likely reason?

A.Physical layer issues on eth1.
B.Eth1 is not connected to the bridge.
C.Spanning Tree Protocol has placed eth1 in blocking state.
D.The bridge interface has no IP address.
AnswerC

The state 'blocking' for eth1 means STP is preventing forwarding to avoid loops.

Why this answer

The exhibit shows a Linux bridge (br0) with eth0 and eth1 as bridge ports. If hosts on eth1 cannot communicate with hosts on eth0, the most likely cause is that Spanning Tree Protocol (STP) has placed eth1 in a blocking state to prevent a Layer 2 loop. STP blocks redundant paths by transitioning ports through listening, learning, and blocking states, and a blocked port does not forward traffic until the topology converges.

Exam trap

The trap here is that candidates often assume a missing IP address on the bridge interface prevents inter-VLAN or inter-host communication, but STP blocking is the actual Layer 2 issue that stops traffic between bridge ports.

How to eliminate wrong answers

Option A is wrong because physical layer issues (e.g., cable faults, link down) would typically cause the interface to show a 'down' or 'no carrier' state in 'ip link' or 'bridge link' output, which is not indicated in the exhibit. Option B is wrong because if eth1 were not connected to the bridge, it would not appear in the bridge's port list (e.g., 'bridge link show' or 'brctl show' would not list it), but the exhibit shows eth1 as a bridge port. Option D is wrong because a bridge interface does not require an IP address for Layer 2 forwarding between its ports; an IP address is only needed for the host to communicate with the bridge itself or for routing, not for bridging traffic between eth0 and eth1.

253
Multi-Selecteasy

Which TWO commands can be used to list all currently listening TCP ports and the associated processes?

Select 2 answers
A.lsof -i TCP -s TCP:LISTEN
B.ss -tlnp
C.netstat -tlnp
D.fuser -v 80/tcp
E.nmap -sT localhost
AnswersB, C

ss -tlnp shows listening TCP ports with process info.

Why this answer

Option B (ss -tlnp) is correct because the ss command with -t (TCP), -l (listening), -n (numeric), and -p (process) shows all listening TCP ports and their associated processes. Option C (netstat -tlnp) is correct because netstat with the same flags provides equivalent output, though ss is the modern replacement on many distributions.

Exam trap

The trap here is that candidates may think lsof or nmap are valid for listing all listening ports with processes, but lsof requires specific syntax and does not natively filter by listening state without extra flags, while nmap is an active scanner, not a passive listener display tool.

254
Multi-Selectmedium

Which TWO commands can be used to list currently loaded iptables rules in the filter table? (Choose two.)

Select 2 answers
A.iptables -L -t nat
B.iptables -nL
C.iptables -L -t filter
D.iptables -Z
E.iptables -F
AnswersB, C

Lists rules numerically (default filter table).

Why this answer

Options A and C are correct. 'iptables -L -t filter' lists rules in filter table; 'iptables -nL' lists rules numerically without DNS resolution. Option B is wrong because 'iptables -S' prints rule specifications, not a list? Actually 'iptables -S' prints rules in iptables-save format, which is a list. So B is also a way to list rules.

Wait, -S is also valid. The question says 'list currently loaded iptables rules', and -S does list them. So we have three correct? Let's check: A: iptables -L -t filter (filter is default), C: iptables -nL (numeric list), B: iptables -S (list rules in command form).

The question asks for TWO. Which two are most commonly used? The exam might consider -L and -nL as similar, but -L with -t filter is explicit. However, -S is also valid.

To avoid ambiguity, I'll make D and E clearly wrong. Let's change options: A: iptables -L -t filter, B: iptables -L -t nat, C: iptables -nL, D: iptables -F, E: iptables -Z. So correct: A and C.

B lists nat table, not filter. D flushes, E zeroes counters. So that works.

255
Multi-Selecthard

Which THREE kernel boot parameters can be added to the GRUB command line to enable verbose debug output during boot? (Choose three.)

Select 3 answers
A.verbose
B.quiet
C.debug
D.earlyprintk
E.loglevel=7
AnswersC, D, E

Enables general debug output from the kernel.

Why this answer

The `debug` kernel boot parameter enables verbose debug output from the kernel during boot, printing extensive diagnostic messages. It is a valid parameter that can be added to the GRUB command line to increase verbosity for troubleshooting.

Exam trap

The trap here is that candidates may confuse `verbose` with a valid kernel parameter or think `quiet` enables debug output, when in fact `quiet` suppresses messages and `verbose` is not a kernel-recognized boot parameter.

256
MCQeasy

A system administrator wants to configure a Samba share that grants read-only access to the 'staff' group and full control to the 'managers' group. Which share configuration achieves this?

A.[share] path = /srv/share valid users = +staff write list = @managers
B.[share] path = /srv/share valid users = @managers write list = @managers
C.[share] path = /srv/share valid users = +staff write list = +managers
D.[share] path = /srv/share valid users = @staff write list = @staff
AnswerA

Read-only for staff, write for managers

Why this answer

Option A is correct because the `valid users = +staff` directive restricts access to members of the 'staff' group (the `+` prefix means a Unix group), while the `write list = @managers` directive grants write access to members of the 'managers' group (the `@` prefix also means a Unix group). This combination ensures that 'staff' members have read-only access by default, and 'managers' members have full control (read/write).

Exam trap

The trap here is confusing the `+` and `@` prefixes for group references in Samba, leading candidates to incorrectly apply `+` in `write list` or `@` in `valid users` without understanding the subtle differences in their behavior.

How to eliminate wrong answers

Option B is wrong because `valid users = @managers` restricts access to only the 'managers' group, excluding the 'staff' group entirely, which does not grant read-only access to 'staff'. Option C is wrong because `valid users = +staff` uses the `+` prefix for a group, but `write list = +managers` uses the `+` prefix incorrectly; in Samba, `write list` expects the `@` prefix for groups, not `+`. Option D is wrong because `valid users = @staff` restricts access to only the 'staff' group, and `write list = @staff` gives write access to the same group, resulting in full control for 'staff' and no access for 'managers'.

257
Multi-Selectmedium

Which two commands can be used to create a swap space on a partition /dev/sdb2? (Choose two.)

Select 2 answers
A.mkswap /dev/sdb2
B.swapon /dev/sdb2
C.dd if=/dev/zero of=/dev/sdb2 bs=1M count=1024
D.mkswap -L swap /dev/sdb2
E.mkfs.swap /dev/sdb2
AnswersA, D

mkswap writes a swap signature to the partition.

Why this answer

The `mkswap` command initializes a partition or file for use as swap space by writing a swap signature (UUID and superblock) to the device. Option A is correct because `mkswap /dev/sdb2` creates the swap filesystem on the specified partition. Option D is also correct because `mkswap -L swap /dev/sdb2` does the same but additionally assigns a label 'swap' to the swap area, which is a valid variant of the command.

Exam trap

The trap here is that candidates confuse `mkswap` (which creates the swap filesystem) with `swapon` (which activates it), or they assume a generic `mkfs.*` command exists for swap, leading them to pick the invalid `mkfs.swap` option.

258
Multi-Selecthard

Which three PAM modules can be used to enforce password complexity? (Select three.)

Select 3 answers
A.pam_securetty.so
B.pam_passwdqc.so
C.pam_unix.so
D.pam_pwquality.so
E.pam_cracklib.so
AnswersB, D, E

This module enforces password quality and complexity.

Why this answer

pam_cracklib.so, pam_pwquality.so, and pam_passwdqc.so are all modules designed to enforce password complexity policies. pam_unix.so handles basic password authentication but not complexity. pam_securetty.so restricts root login to secure terminals.

259
MCQhard

An administrator wants to create a thin provisioned LVM pool and a thin volume. Which sequence of commands is correct?

A.lvcreate -L 10G -T vg/pool; lvcreate -V 5G -T vg/pool/thinvol
B.lvcreate -L 10G --thinpool vg/pool; lvcreate -V 5G --thin vg/pool/thinvol
C.lvcreate -L 10G -T vg/pool; lvcreate -n thinvol -V 5G vg/pool
D.lvcreate -L 10G -T vg/pool; lvcreate -V 5G -n thinvol vg/pool
AnswerB

Correct syntax for thin pool and thin volume.

Why this answer

Option B is correct because it uses the correct LVM commands to create a thin provisioned pool and a thin volume. The first command, `lvcreate -L 10G --thinpool vg/pool`, creates a thin pool named 'pool' in volume group 'vg' with a 10G metadata and data area. The second command, `lvcreate -V 5G --thin vg/pool/thinvol`, creates a thin volume named 'thinvol' within that pool, specifying the virtual size with `-V`.

The `--thinpool` and `--thin` flags are the proper LVM2 syntax for thin provisioning.

Exam trap

The trap here is that candidates confuse the `-T` flag (which can create both thin pools and thin volumes depending on context) with the explicit `--thinpool` and `--thin` flags, and often forget that creating a thin volume requires specifying the pool path (e.g., `vg/pool/thinvol`) and the `--thin` flag, not just a regular `lvcreate` with `-n`.

How to eliminate wrong answers

Option A is wrong because it uses `-T` (which is a shorthand for `--thin` and is used to create a thin pool, but the syntax `lvcreate -L 10G -T vg/pool` is incorrect; `-T` requires a pool name and a volume group, but the correct form is `lvcreate -L 10G --thinpool vg/pool` or `lvcreate -L 10G -T vg/pool` is actually valid for creating a thin pool, but the second command `lvcreate -V 5G -T vg/pool/thinvol` is wrong because `-T` is not used for creating thin volumes; it should be `--thin`. Option C is wrong because the second command `lvcreate -n thinvol -V 5G vg/pool` attempts to create a regular logical volume, not a thin volume, and does not specify the thin pool or use the `--thin` flag. Option D is wrong because the second command `lvcreate -V 5G -n thinvol vg/pool` also creates a regular logical volume, missing the `--thin` flag and the pool path.

260
MCQmedium

An administrator configured an autofs direct map for a remote NFS share. The master map at /etc/auto.master contains a line: '/data /etc/auto.direct'. The direct map file /etc/auto.direct has: '/projects -rw,soft fileserver:/exports/projects'. When a user tries to cd /data/projects, it hangs. The autofs service is running. What is the most likely cause?

A.The master map should use '/-' instead of '/data' for direct maps.
B.The NFS server fileserver is not exporting /exports/projects.
C.The autofs service is not started.
D.The 'soft' mount option is missing.
AnswerA

Direct maps require the master map to have a mount point of '/-'.

Why this answer

Direct maps in autofs must use the special mount point '/-' in the master map, not an actual directory path like '/data'. When '/data' is specified, autofs treats it as an indirect map key, causing it to look for a subdirectory matching the key under '/data' rather than triggering the direct mount of '/projects'. This mismatch leads to a hang when the user attempts to access '/data/projects' because autofs never attempts the NFS mount.

Exam trap

The trap here is that candidates often confuse the syntax for direct versus indirect maps in the master map, mistakenly thinking any path can be used for direct maps, when in fact '/-' is a required literal placeholder.

How to eliminate wrong answers

Option B is wrong because even if the NFS export is missing, the hang occurs before any mount attempt due to the master map misconfiguration; a missing export would typically result in a timeout or error after the mount is attempted, not an immediate hang. Option C is wrong because the question explicitly states the autofs service is running, so this is not the cause. Option D is wrong because the 'soft' mount option is already present in the direct map entry; moreover, the hang is not related to mount option behavior but to the fundamental map type misconfiguration.

261
MCQeasy

A filesystem is reported as 'read-only' after an unexpected power failure. Which command should be used to attempt repair without data loss?

A.mount -o remount,rw /dev/sda1
B.fsck -y /dev/sda1
C.fsck -n /dev/sda1
D.e2fsck -p /dev/sda1
AnswerC

Read-only check, no repairs, safe to assess damage.

Why this answer

After an unexpected power failure, the filesystem may have been marked as needing a clean replay of its journal, but it is not necessarily corrupted. Running `fsck -n` performs a read-only check of the filesystem without making any changes, allowing you to assess the extent of damage or confirm that the journal replay is all that is needed. This avoids the risk of `fsck` making incorrect automatic repairs that could cause data loss, which is critical when the root cause is an unclean shutdown rather than structural corruption.

Exam trap

The trap here is that candidates assume any filesystem issue after a power failure requires automatic repair (`-y` or `-p`), but the correct first step is a read-only check (`-n`) to avoid data loss from premature or unnecessary writes.

How to eliminate wrong answers

Option A is wrong because `mount -o remount,rw` attempts to force the filesystem to read-write without checking its integrity; if the filesystem is marked as needing a journal replay or has minor inconsistencies, this can lead to further corruption or data loss. Option B is wrong because `fsck -y` automatically answers 'yes' to all repair prompts, which can apply destructive fixes (e.g., removing inodes or truncating files) that may not be necessary after a power failure, potentially causing data loss. Option D is wrong because `e2fsck -p` (the 'preen' mode) automatically repairs filesystem issues that are considered safe, but after a power failure, the filesystem may only need a journal replay (which happens on mount), and running `e2fsck -p` can still make unnecessary changes that risk data loss.

262
MCQmedium

A system administrator notices that the SSH service on a Linux server is failing to start. The log shows: 'sshd: error: Could not load host key: /etc/ssh/ssh_host_rsa_key'. What is the most likely cause and solution?

A.The sshd_config file has a syntax error. Run 'sshd -t' to check it.
B.The SSH service is managed by xinetd and the configuration is missing. Edit /etc/xinetd.d/ssh.
C.The /etc/ssh/sshd_config file has incorrect permissions. Change them to 600.
D.The host key file is missing or corrupt. Run 'ssh-keygen -A' to regenerate all missing host keys.
AnswerD

This regenerates default host keys.

Why this answer

The error message indicates that the SSH daemon cannot load the RSA host key file. Host keys are generated during package installation or manually via ssh-keygen. Option D is correct because running 'ssh-keygen -A' automatically generates all missing host key types (RSA, ECDSA, Ed25519) that are configured for use, resolving the missing or corrupt key issue without manual intervention.

Exam trap

The trap here is that candidates may confuse host key issues with configuration file errors or permissions, but the specific error message directly points to the host key file, not sshd_config, and the correct solution is to regenerate the missing keys rather than editing configuration or checking syntax.

How to eliminate wrong answers

Option A is wrong because a syntax error in sshd_config would produce a different error (e.g., 'sshd: fatal: bad ownership or modes') and 'sshd -t' checks configuration syntax, not host key availability. Option B is wrong because SSH is typically managed as a standalone service via systemd or init scripts, not xinetd; xinetd is used for services like Telnet or TFTP, and SSH over xinetd is extremely rare and not the default. Option C is wrong because the error is about the host key file, not sshd_config; incorrect permissions on sshd_config would cause a different error (e.g., 'bad ownership or modes') and the host key file itself must be 600, but the error message explicitly names the key file, not the config file.

263
MCQeasy

After installing a new kernel on a system using GRUB2, which command should be run to update the boot menu configuration file?

A.grub-install /dev/sda
B.grub-mkconfig -o /boot/grub/grub.cfg
C.update-grub
D.grub2-mkconfig -o /boot/grub2/grub.cfg
AnswerB

This is the standard command to regenerate the GRUB2 configuration file.

Why this answer

After installing a new kernel on a system using GRUB2, the boot menu configuration file must be regenerated to include the new kernel entry. The command `grub-mkconfig -o /boot/grub/grub.cfg` reads the configuration snippets in `/etc/default/grub` and scripts in `/etc/grub.d/`, then writes the updated GRUB2 configuration to the specified output file (`/boot/grub/grub.cfg`). This is the standard method on most Linux distributions that use GRUB2 (e.g., Debian, Ubuntu, RHEL 7+).

Exam trap

The trap here is that candidates confuse `grub-install` (which installs the bootloader to disk) with `grub-mkconfig` (which updates the menu configuration), or they assume distribution-specific wrappers like `update-grub` are the correct answer when the exam expects the generic GRUB2 command.

How to eliminate wrong answers

Option A is wrong because `grub-install /dev/sda` installs GRUB2 to the Master Boot Record (MBR) or GPT partition of the disk, but it does not regenerate the boot menu configuration file; it only writes the bootloader code and stage files. Option C is wrong because `update-grub` is a distribution-specific wrapper script (commonly found on Debian/Ubuntu) that internally calls `grub-mkconfig -o /boot/grub/grub.cfg`, but it is not the direct command specified in the LPIC-2 exam objectives; the exam expects the explicit `grub-mkconfig` command. Option D is wrong because `grub2-mkconfig -o /boot/grub2/grub.cfg` uses the legacy GRUB2 naming convention (e.g., on RHEL/CentOS 7), but the question specifies a system using GRUB2 without indicating the distribution-specific path; the standard GRUB2 configuration file path is `/boot/grub/grub.cfg`, not `/boot/grub2/grub.cfg`.

264
MCQmedium

A company develops a custom PCIe device driver as a kernel module. After installing a new kernel version 5.10.50 via a distribution update, the existing driver module fails to load with the error: 'insmod: ERROR: could not insert module mydriver.ko: Invalid module format'. The administrator checks the kernel version and sees that the module was compiled against a previous kernel version 5.10.45. The driver source code is available in /usr/src/mydriver. The administrator needs to get the driver working with the new kernel. Which of the following is the correct course of action?

A.Copy the compiled .ko file to /lib/modules/5.10.50/kernel/drivers/misc/ and run 'depmod -a'
B.Edit the module's Makefile to change the version string to match the new kernel
C.Recompile the module using 'make -C /lib/modules/$(uname -r)/build M=/usr/src/mydriver modules'
D.Use 'modprobe --force mydriver' to bypass the version check
AnswerC

This compiles the module against the new kernel's build tree, ensuring compatible symbols.

Why this answer

Option C is correct because the kernel module was compiled against a different kernel version (5.10.45) and the new kernel (5.10.50) has a different vermagic string, which includes the kernel version and other build parameters. The module must be recompiled against the new kernel's build tree located at /lib/modules/$(uname -r)/build to match the vermagic and ensure symbol compatibility. The command 'make -C /lib/modules/$(uname -r)/build M=/usr/src/mydriver modules' uses the kernel build system to compile the module against the running kernel's configuration and headers.

Exam trap

The trap here is that candidates assume copying the module to the correct directory or using --force will work, but the kernel's strict version and symbol checking requires recompilation against the exact kernel build tree.

How to eliminate wrong answers

Option A is wrong because copying the old .ko file to the new kernel's module directory and running depmod -a does not change the module's internal vermagic string; the kernel will still reject it due to version mismatch. Option B is wrong because editing the Makefile to change the version string does not recompile the module; the compiled .ko file retains the original vermagic from the previous build, and the Makefile change would only affect future compilations. Option D is wrong because modprobe --force bypasses the vermagic check but not the symbol versioning (CRC) check, and it can lead to kernel instability or crashes; it is not a proper solution for production systems.

265
MCQeasy

A system administrator notices that external clients cannot resolve the company's primary website (www.example.com) but internal clients can. What is the most likely cause?

A.The internal DNS server is not authoritative for the zone.
B.The firewall is blocking port 53 UDP to the internal DNS server.
C.The external DNS server has a missing A record for www.example.com.
D.The internal DNS server is not configured for recursion.
AnswerC

External clients query the external authoritative server; if the A record is missing, resolution fails.

Why this answer

External clients rely on the external authoritative DNS server. If the A record for www.example.com is missing from that server, external resolution fails. Internal clients use a different DNS server (e.g., internal caching resolver) that may have the record cached or is authoritative for the zone.

Option D is correct because the missing A record on the external authoritative server is the most direct cause. Option A is incorrect because an internal server can be authoritative; the issue is external. Option B is incorrect because firewall blocking port 53 would affect both internal and external clients.

Option C is incorrect because recursion is not required for authoritative resolution.

266
MCQmedium

A Samba share is configured with 'force user = jane'. A user 'bob' accesses the share. With what effective user ID will file operations be performed?

A.root
B.jane
C.nobody
D.bob
AnswerB

All file operations use the forced user 'jane'.

Why this answer

The 'force user' directive in Samba overrides the authenticated user's identity for all file operations on the share. When 'force user = jane' is set, any user accessing the share, including 'bob', will have their effective user ID changed to 'jane' for all file reads, writes, and ownership checks. This ensures that files created or modified on the share are owned by 'jane', regardless of who actually connects.

Exam trap

The trap here is that candidates often confuse 'force user' with 'valid users' or 'guest only', mistakenly thinking the connecting user's identity is preserved for file operations, when in fact 'force user' completely overrides the effective UID.

How to eliminate wrong answers

Option A is wrong because 'force user' does not map to 'root'; root is only used if explicitly specified or if the share uses 'admin users'. Option C is wrong because 'nobody' is the default guest account when 'guest ok = yes' is set, but 'force user' overrides that mapping. Option D is wrong because 'bob' is the connecting user, but 'force user' explicitly replaces his effective UID with that of 'jane' for all file operations on the share.

267
MCQhard

A user reports that an external USB hard drive is not detected when plugged in. The system uses a standard kernel with USB support. What is the most likely reason?

A.The USB driver is not installed.
B.The external drive is incompatible.
C.The kernel lacks USB support.
D.The usb_storage module is blacklisted.
AnswerD

The blacklist directive prevents the module from loading automatically.

Why this answer

Option B is correct because the blacklist.conf file prevents the usb_storage module from loading, which is required for USB mass storage devices. The module is installed but not loaded due to blacklisting.

268
Multi-Selecthard

Which THREE conditions must be met for a Linux system to act as a router between two networks?

Select 3 answers
A.IP forwarding must be enabled in the kernel (net.ipv4.ip_forward = 1).
B.The system must have a default gateway configured.
C.The system must have routes to the networks it will forward traffic to.
D.Each interface must have an IP address in the respective subnet.
E.The firewall must allow forwarding (FORWARD chain policy ACCEPT).
AnswersA, C, D

Required to forward packets.

Why this answer

Option A is correct because the Linux kernel must have IP forwarding enabled to forward packets between network interfaces. This is controlled by the sysctl parameter net.ipv4.ip_forward = 1, which allows the kernel to act as a router by forwarding IP packets from one interface to another based on the routing table.

Exam trap

The trap here is that candidates often confuse the requirement for a default gateway (option B) with the need for specific routes to the networks being forwarded, but a router only needs routes to the destination networks, not a default gateway, unless it must forward traffic to networks beyond its directly connected ones.

269
MCQeasy

Which command would add the default gateway 192.168.1.1 to this interface?

A.ip route add 0.0.0.0/0 via 192.168.1.1 dev eth0
B.ip route add default via 192.168.1.1 dev eth0
C.route add default gw 192.168.1.1
D.ip route add default via 192.168.1.1
AnswerB

Standard iproute2 command with dev specified.

Why this answer

Option B is correct because the `ip route add default via 192.168.1.1 dev eth0` command explicitly specifies both the gateway address and the outgoing interface, which is necessary when multiple interfaces exist or when the kernel needs to resolve the next-hop without ambiguity. The `default` keyword is a shorthand for `0.0.0.0/0` in IPv4, and the `dev eth0` clause ensures the route is bound to the correct interface.

Exam trap

The trap here is that candidates often choose the legacy `route` command (Option C) out of habit, forgetting that the modern `ip` command is required for LPIC-2 exams, and they may overlook the necessity of specifying the interface (`dev eth0`) to avoid ambiguous routing when multiple network interfaces are present.

How to eliminate wrong answers

Option A is wrong because `ip route add 0.0.0.0/0 via 192.168.1.1 dev eth0` is technically valid but not the most standard or concise form; however, the question asks for the command that would add the default gateway, and while this works, it is not the preferred syntax in modern Linux networking (the `default` keyword is standard). Option C is wrong because `route add default gw 192.168.1.1` is a legacy command from the net-tools package, which is deprecated and may not be available on all modern distributions; it also lacks the `dev eth0` interface specification, which can cause the route to be added to the wrong interface or fail if the gateway is not directly reachable. Option D is wrong because `ip route add default via 192.168.1.1` omits the `dev eth0` interface binding, which can lead to routing failures if the system has multiple interfaces or if the kernel cannot determine the correct egress interface for the next-hop.

270
Multi-Selecthard

Which three conditions must be met for a filesystem to be mounted by UUID in /etc/fstab? (Choose three.)

Select 3 answers
A.The blkid command must have been run at least once
B.The UUID must be listed in the kernel's boot parameters
C.The UUID must be present in /dev/disk/by-uuid/
D.The filesystem must be formatted with a utility that writes UUIDs
E.The UUID in fstab must match the filesystem's UUID
AnswersC, D, E

The kernel uses this symlink to resolve the UUID to a device.

Why this answer

Option C is correct because the Linux kernel and udev create symbolic links in /dev/disk/by-uuid/ for each block device that has a UUID. When /etc/fstab specifies a filesystem by UUID, the mount command resolves the UUID by looking up the corresponding symlink in this directory. If the symlink is missing (e.g., due to a missing udev rule or a corrupted device), the mount will fail.

Exam trap

The trap here is that candidates often think blkid must be run first to 'register' the UUID, but in reality, udev and the kernel automatically populate /dev/disk/by-uuid/ at boot or when a device is added.

271
MCQhard

A security audit reveals that the /var/log directory contains world-readable log files that may contain sensitive information. The administrator wants to ensure new files created in /var/log are not readable by others, without affecting existing file permissions. Which umask value should be set system-wide?

A.umask 027
B.umask 022
C.umask 077
D.umask 026
AnswerD

Results in default file permissions 640 (rw-r-----).

Why this answer

Option D (umask 026) is correct because it sets the default permissions for new files to 640 (rw-r-----), which removes read access for 'others' while preserving read access for group members. The umask value is subtracted from the base permissions (666 for files), so a umask of 026 results in 666 - 026 = 640, meeting the requirement that new files in /var/log are not world-readable without altering existing file permissions.

Exam trap

The trap here is that candidates often choose umask 027 (option A) thinking it provides better security, but they overlook that it removes group read access, which can break legitimate log-reading processes, while the correct answer 026 preserves group read access and only removes world-read access.

How to eliminate wrong answers

Option A (umask 027) is wrong because it results in file permissions of 640 (rw-r-----), which also removes world-read access, but it additionally removes group read access (since 027 subtracts group write and execute, but for files the execute bit is not set by default, so group read is removed). This is more restrictive than needed and may break legitimate group access required for log reading by system utilities. Option B (umask 022) is wrong because it results in file permissions of 644 (rw-r--r--), which leaves files world-readable, directly failing the audit requirement.

Option C (umask 077) is wrong because it results in file permissions of 600 (rw-------), which removes all group and other access, potentially breaking system services that need group read access to log files (e.g., syslog or monitoring tools).

272
MCQhard

An administrator needs to configure iSCSI multipathing. After setting up two paths, which command should be used to verify the multipath topology?

A.multipath -l
B.lsscsi
C.dmsetup ls
D.iscsiadm -m session -P 3
AnswerA

This shows multipath topology.

Why this answer

The `multipath -l` command displays the current multipath topology, showing the aggregated device mapper (dm) devices, their underlying paths, and their status (active/passive or active/active). This is the standard tool for verifying multipath configuration after setting up iSCSI paths, as it reads the multipathd state and presents a human-readable map of the multipath devices.

Exam trap

The trap here is that candidates often confuse `iscsiadm -m session -P 3` (which shows iSCSI session details) with a multipath verification command, but it only shows individual iSCSI connections, not the aggregated multipath topology.

How to eliminate wrong answers

Option B (`lsscsi`) is wrong because it lists SCSI devices and their transport details but does not show multipath topology or aggregated device mapper devices. Option C (`dmsetup ls`) is wrong because it lists all device mapper devices (including LVM and multipath) but does not display path grouping, failover status, or the multipath topology in a structured way. Option D (`iscsiadm -m session -P 3`) is wrong because it shows detailed iSCSI session and connection information (including portal groups and TPGs) but does not aggregate paths into multipath devices or display the multipath topology.

273
Multi-Selecthard

A mail administrator is configuring Postfix to use SASL authentication for incoming connections. Which THREE parameters must be set in main.cf?

Select 3 answers
A.smtpd_tls_auth_only
B.smtpd_sasl_security_options
C.smtpd_sasl_auth_enable
D.smtp_sasl_auth_enable
E.broken_sasl_auth_clients
AnswersB, C, E

Specifies security options like noanonymous to reject anonymous logins.

Why this answer

B is correct because `smtpd_sasl_security_options` controls which SASL security mechanisms are allowed for the Postfix SMTP server (e.g., `noanonymous` to reject anonymous logins). This parameter is essential for enforcing authentication policy when SASL is enabled.

Exam trap

The trap here is confusing `smtpd_sasl_auth_enable` (server-side) with `smtp_sasl_auth_enable` (client-side), leading candidates to select the wrong parameter for incoming authentication.

274
Multi-Selectmedium

Which TWO commands can be used to display the current DNS resolver configuration on a Linux system? (Select TWO.)

Select 3 answers
A.dig localhost
B.nmcli dev show
C.resolvectl status
D.nslookup
E.cat /etc/resolv.conf
AnswersB, C, E

nmcli dev show displays network device details, including DNS configuration if NetworkManager is active.

Why this answer

The `nmcli dev show` command displays detailed network device information, including the DNS resolver configuration managed by NetworkManager. The `resolvectl status` command shows the current DNS resolver state and configuration as managed by systemd-resolved. Both commands are valid for viewing the active DNS resolver settings on a modern Linux system.

Exam trap

The trap here is that candidates often assume `cat /etc/resolv.conf` is always the authoritative source for DNS resolver configuration, but on modern systems with systemd-resolved or NetworkManager, this file may be dynamically generated or a stub, and the actual resolver state is better queried via `resolvectl status` or `nmcli dev show`.

275
MCQmedium

A system administrator notices that a new 1TB NVMe drive (/dev/nvme0n1) is not detected by the kernel. The hardware is confirmed working. Which troubleshooting step should be taken first to check if the drive is recognized by the system's PCI subsystem?

A.Run lsblk to list all block devices.
B.Check dmesg output for errors.
C.Run lspci to verify the NVMe controller is detected.
D.Run fdisk -l /dev/nvme0n1 to probe the drive.
AnswerC

lspci shows PCI devices, including NVMe controllers.

Why this answer

The NVMe drive is not detected by the kernel, but the hardware is confirmed working. The first step is to verify whether the PCI subsystem sees the NVMe controller, because NVMe devices are connected via the PCI Express bus. Running lspci lists all PCI devices, including the NVMe controller; if it does not appear, the issue is at the PCI or hardware level, not the block layer.

Exam trap

The trap here is that candidates assume a missing block device must be checked with block-level tools like lsblk or fdisk, when the correct first step is to verify the PCI bus enumeration with lspci, because NVMe drives are PCIe-attached and the kernel cannot see them without a detected controller.

How to eliminate wrong answers

Option A is wrong because lsblk lists block devices that are already recognized by the kernel; if the drive is not detected, lsblk will not show it, providing no diagnostic information about the PCI subsystem. Option B is wrong because checking dmesg output is a secondary step after confirming PCI detection; dmesg may show errors, but it does not directly query the PCI bus and can be verbose or miss the root cause if the controller is not enumerated. Option D is wrong because fdisk -l /dev/nvme0n1 attempts to probe a specific block device that does not exist in /dev, which will fail with an error and does not check the PCI subsystem at all.

276
MCQhard

Your company has a Linux server acting as a router with three VLAN interfaces: eth0.10 (192.168.10.1/24), eth0.20 (192.168.20.1/24), and eth0.30 (192.168.30.1/24). The server has a default route via eth0 (native VLAN) to the internet gateway at 10.0.0.1. Internal hosts can communicate between VLANs, but cannot reach the internet. You have verified that the default route is present and that the gateway is reachable from the router itself. The iptables FORWARD chain policy is ACCEPT, and no filtering rules are defined. However, you notice that ip_forward is enabled. What is the most likely missing configuration?

A.Enable net.ipv4.ip_forward in sysctl.conf.
B.Add iptables MASQUERADE rule on the outgoing interface (eth0).
C.Add a static route on the internal hosts to the internet gateway.
D.Disable firewalld to ensure no packet filtering.
AnswerB

Private IPs need SNAT to reach the internet.

Why this answer

The router itself can reach the internet, but internal hosts cannot because traffic from the internal VLANs (192.168.10.0/24, 192.168.20.0/24, 192.168.30.0/24) that is forwarded to the internet via eth0 (10.0.0.0/?) has a source IP from the private RFC 1918 address space. The internet gateway (10.0.0.1) will not route packets back to these private addresses, and even if it did, the return packets would not be delivered to the originating internal host without source NAT. Adding an iptables MASQUERADE rule on the outgoing interface (eth0) performs source NAT (SNAT), rewriting the source IP of forwarded packets to the router's own IP on eth0, so that the internet gateway sees return traffic destined to the router, which then de-masquerades and forwards it back to the correct internal host.

Exam trap

The trap here is that candidates often assume ip_forward is the only requirement for routing between networks, forgetting that NAT is necessary when forwarding traffic from private IPs to the internet, even when the router itself can reach the gateway.

How to eliminate wrong answers

Option A is wrong because net.ipv4.ip_forward is already enabled (the problem states it is enabled), so enabling it again in sysctl.conf is redundant and does not address the lack of source NAT. Option C is wrong because internal hosts already have routes to each other via their respective VLAN interfaces on the router, and adding a static route to the internet gateway on internal hosts would not help; the issue is that the internet gateway does not know how to route return traffic to private IPs, not that internal hosts lack a route to the gateway. Option D is wrong because firewalld is not mentioned as running, and even if it were, disabling it would not solve the problem; the FORWARD chain policy is ACCEPT and no rules are defined, so packet filtering is not blocking traffic—the missing element is NAT, not firewall rules.

277
Matchingmedium

Match each Linux boot component to its role.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Bootloader that loads the kernel and initramfs

Temporary root filesystem for early boot drivers

Init system that starts services and manages targets

Compressed Linux kernel image

Older initial ramdisk for booting

Why these pairings

These components are involved in the Linux boot process.

278
MCQeasy

An administrator uses logwatch to send daily summaries to root. Which configuration file controls the default logwatch behavior?

A./etc/logwatch.conf
B./etc/logwatch/conf/logwatch.conf
C./usr/share/logwatch/default.conf
D./etc/logwatch/logwatch.conf
AnswerB

This is the main configuration file for logwatch.

Why this answer

The main logwatch configuration file is /etc/logwatch/conf/logwatch.conf. The other paths are incorrect or used for auxiliary configuration.

279
Multi-Selectmedium

Which TWO commands display the current kernel routing table? (Choose two.)

Select 2 answers
A.route show
B.cat /proc/net/route
C.ip route show
D.ifconfig -a
E.netstat -rn
AnswersC, E

iproute2 command to view routing table.

Why this answer

The `ip route show` command (from the iproute2 suite) displays the current kernel routing table in a structured, human-readable format. It is the modern replacement for legacy tools like `route` and `netstat`, and it directly reads routing information from the kernel's FIB (Forwarding Information Base).

Exam trap

The trap here is that candidates often confuse `route show` (which is invalid) with the valid `route -n` command, or they mistakenly think `ifconfig -a` displays routing information instead of interface configuration.

280
Multi-Selecteasy

Which TWO smb.conf parameters can be used to restrict access to a share based on client IP address or network?

Select 2 answers
A.hosts deny
B.valid users
C.allow hosts
D.invalid users
E.hosts allow
AnswersA, E

This parameter specifies IP addresses or networks that are denied access.

Why this answer

The parameters hosts allow and hosts deny control IP-based access to shares. 'valid users' and 'invalid users' control user-level access, and 'allow hosts' is not a valid Samba parameter.

281
MCQhard

A PAM configuration file for password authentication includes the line 'password requisite pam_cracklib.so retry=3 minlen=8'. A user tries to change their password but is rejected even though the new password meets the stated criteria. The administrator suspects a conflict with another PAM module. Which of the following is the most likely cause?

A.Another PAM module such as pam_pwhistory.so might be configured to prevent reuse of old passwords, causing rejection even though pam_cracklib passes.
B.The 'retry=3' option limits attempts, but the password is only tried once.
C.The 'requisite' control flag causes immediate failure if pam_cracklib fails, but another module might be overriding.
D.The 'minlen=8' option requires exactly 8 characters, not at least 8.
AnswerA

pam_pwhistory checks the password against a history file; if the new password matches an old one, it fails.

Why this answer

Option D is correct because if another module (like pam_pwhistory) is configured to require that the password not be in a history file, it may reject a valid password. Option A is wrong because pam_cracklib options are correct. Option B is wrong because the retry count only affects attempts, not the criteria.

Option C is wrong because order matters: if pam_cracklib runs first, it may pass, but later modules may fail. But the question says 'suspects a conflict with another PAM module', so history is common.

282
MCQeasy

An administrator is troubleshooting IPv6 connectivity on an interface with link-local address fe80::1. Which command correctly pings that address from the local host, ensuring the packet uses the correct interface?

A.traceroute6 -i eth0 fe80::1
B.ping6 fe80::1
C.ping -6 eth0 fe80::1
D.ping6 -I eth0 fe80::1
AnswerD

Binds to interface eth0 for link-local address.

Why this answer

Option D is correct because the `ping6 -I eth0 fe80::1` command explicitly binds the ICMPv6 echo request to interface `eth0`, which is required when pinging a link-local address (fe80::/10). Link-local addresses are not globally unique; they are scoped to a specific network segment, so the kernel must know which interface to send the packet out of. Without the `-I` option, the system may fail to route the packet or send it out the wrong interface.

Exam trap

The trap here is that candidates assume `ping6` alone works for any IPv6 address, but link-local addresses require an interface specification (via `-I` or a `%` scope ID) because they are not globally routable and the kernel cannot determine the correct interface from the address alone.

How to eliminate wrong answers

Option A is wrong because `traceroute6` is a path-discovery tool, not a ping command, and it does not test basic IPv6 connectivity with ICMP echo requests. Option B is wrong because `ping6 fe80::1` lacks an interface specification, causing the kernel to either return an error (e.g., 'connect: Invalid argument') or send the packet out an incorrect interface, as link-local addresses require a scope ID or explicit interface binding. Option C is wrong because `ping -6 eth0 fe80::1` uses incorrect syntax; `ping` (IPv4) with `-6` expects the interface to be specified with `-I` (e.g., `ping -6 -I eth0 fe80::1`), and placing `eth0` directly after `-6` is invalid and will be interpreted as a hostname.

283
MCQmedium

A company uses Samba to share files from a Linux server to Windows clients. After upgrading Samba from version 4.10 to 4.15, some users report they cannot access shares and receive 'Access denied' errors. The smb.conf has been verified and seems correct. What is the most likely cause?

A.The firewall is blocking SMB ports.
B.The users' passwords are too short.
C.The 'ntlm auth' parameter is set to 'no' in the new version.
D.The Samba service is not running after upgrade.
AnswerC

Newer Samba versions default ntlm auth to no, breaking older clients.

Why this answer

Starting with Samba 4.11, the default value of the 'ntlm auth' parameter changed from 'yes' to 'no'. This disables NTLMv1 authentication, which many legacy Windows clients or configurations still rely on. Even though the smb.conf appears correct, the new default silently blocks NTLMv1, causing 'Access denied' errors after the upgrade.

Exam trap

The trap here is that candidates assume the upgrade preserved all default settings, but Samba silently changes critical security defaults between major versions, and the 'Access denied' error is easily misattributed to firewall or service issues.

How to eliminate wrong answers

Option A is wrong because the firewall blocking SMB ports (typically 139/tcp and 445/tcp) would prevent any connection at all, not selectively cause 'Access denied' after authentication. Option B is wrong because Samba does not enforce a minimum password length by default; password length is a policy set in smb.conf or via PAM, not a version-specific change. Option D is wrong because if the Samba service were not running, users would receive 'network path not found' or 'connection refused' errors, not 'Access denied'.

284
Multi-Selectmedium

Given the LDAP client configuration shown in the exhibit, which THREE additional components are required for LDAP authentication to work? (Choose three.)

Select 3 answers
A.Edit /etc/nsswitch.conf to include ldap in passwd, shadow, and group lines.
B.Install and configure autofs.
C.Configure /etc/krb5.conf for Kerberos.
D.Add 'auth sufficient pam_ldap.so' or similar to /etc/pam.d/system-auth.
E.Start the nscd service.
AnswersA, D, E

Necessary to query LDAP for user/group info.

Why this answer

Option A is correct because /etc/nsswitch.conf controls which sources the system uses for user, group, and password lookups. Adding 'ldap' to the passwd, shadow, and group lines directs the Name Service Switch (NSS) to query the LDAP directory for authentication-related information, which is essential for integrating LDAP as an identity source.

Exam trap

The trap here is that candidates often confuse optional components like autofs or Kerberos as mandatory for LDAP authentication, when in fact only NSS, PAM, and caching (nscd) are the core required pieces for basic LDAP authentication to function.

285
MCQhard

Refer to the exhibit. A user cannot connect to the 'share2' Samba share. What is the most likely cause?

A.The Samba service is not running.
B.The user does not have permission to read the share.
C.The share name is too long.
D.The share path does not exist or is not accessible.
AnswerD

Correct; the path cannot be accessed, causing the failure.

Why this answer

Option D is correct because the most common cause of a user being unable to connect to a Samba share is that the share path specified in the smb.conf file does not exist or is not accessible by the Samba service. Samba does not create the underlying directory; it only maps the share name to a path. If the path is missing, permissions are wrong, or the filesystem is not mounted, the connection will fail with an error like 'NT_STATUS_OBJECT_PATH_NOT_FOUND'.

Exam trap

The trap here is that candidates often assume a Samba share failure is due to service status or permissions, but the LPIC-2 exam emphasizes verifying the underlying filesystem path and its mount state as a prerequisite for share connectivity.

How to eliminate wrong answers

Option A is wrong because if the Samba service were not running, the user would likely receive a 'connection refused' error or a timeout, not a share-specific failure; the question implies the user can attempt to connect but fails on the share. Option B is wrong because the user's inability to read the share is a permission issue that would typically occur after the share is successfully mounted or accessed, not at the connection stage; Samba first validates the path existence and accessibility before checking user permissions. Option C is wrong because Samba share names are limited to 255 characters in practice, and 'share2' is well within that limit; a name length issue would cause a configuration parsing error, not a connection failure.

286
Multi-Selectmedium

A Linux server running Samba as a domain member is experiencing slow authentication for users. Which two configuration changes are most likely to improve authentication performance?

Select 2 answers
A.Disable SMB signing by setting 'server signing = disabled'
B.Enable 'winbind offline logon = yes'
C.Set 'idmap config * : backend = tdb' to cache ID mappings locally
D.Change 'security = ADS' to 'security = user'
E.Set 'name resolve order = lmhosts host wins bcast'
AnswersB, C

Allows cached logon

Why this answer

Option B is correct because enabling 'winbind offline logon = yes' allows winbind to cache user credentials locally, so authentication can proceed without contacting the domain controller if it is temporarily unreachable, reducing latency for repeated logins. Option C is correct because setting 'idmap config * : backend = tdb' stores ID mappings (UID/GID to SID) in a local tdb database, avoiding repeated queries to the domain controller for mapping resolution, which directly improves authentication performance in a domain member setup.

Exam trap

The trap here is that candidates often confuse 'performance improvements' with 'security reductions' (like disabling SMB signing) or 'name resolution tweaks', when the actual bottleneck is typically the round-trip time to the domain controller for authentication and ID mapping lookups, which caching directly addresses.

287
MCQmedium

A Linux administrator is managing a database server running on CentOS 7 that uses ext4 filesystems on LVM. The server has three physical volumes: /dev/sda (200GB), /dev/sdb (200GB), and /dev/sdc (200GB) all in volume group 'vg_db'. The logical volume 'lv_data' (400GB) is used for database files. Recently, the DBA reports that database writes are slower than expected. Iostat shows high average wait times (>100ms) on /dev/sdc but normal on /dev/sda and /dev/sdb. The LVM stripes data across all three PVs with a stripe size of 64KB. Which action should the administrator take to improve performance?

A.Replace /dev/sdc with a new disk and restore the mirror or restripe.
B.Convert lv_data to linear mapping on /dev/sda and /dev/sdb only.
C.Increase the stripe size to 256KB to reduce I/O overhead.
D.Remove /dev/sdc from the volume group and reduce the stripe count to 2.
AnswerA

The slow disk is the bottleneck; replacing it resolves the issue.

Why this answer

The high average wait time on /dev/sdc indicates that this specific physical volume is a performance bottleneck, likely due to hardware failure or degradation. Since the logical volume 'lv_data' stripes data across all three PVs, the overall write performance is limited by the slowest device in the stripe set. Replacing /dev/sdc with a new disk and restoring the stripe (e.g., using pvmove to relocate extents and then replacing the device) eliminates the bottleneck and restores balanced I/O across all PVs.

Exam trap

The trap here is that candidates may think increasing stripe size or reducing stripe count will improve performance, but they overlook that a single failing or slow physical volume in a striped logical volume creates a synchronous bottleneck that cannot be mitigated by tuning stripe parameters alone.

How to eliminate wrong answers

Option B is wrong because converting to linear mapping on only two PVs would reduce total available bandwidth and capacity, and would not address the underlying hardware issue on /dev/sdc; the slow device would still be in use if not removed. Option C is wrong because increasing the stripe size to 256KB would change the I/O pattern but does not fix a failing or slow physical disk; it may even worsen latency for small random writes. Option D is wrong because simply removing /dev/sdc from the volume group and reducing the stripe count to 2 would require a full restripe and data migration, and does not address the fact that the remaining two PVs may not provide the same performance as the original three; also, the slow disk is still present and could cause further issues.

288
MCQhard

A Samba server is configured as a classic PDC (Primary Domain Controller) for a legacy network. The administrator needs to add a new machine account for a client joining the domain. Which command accomplishes this?

A.samba-tool domain add machinename
B.smbpasswd -a -m MACHINENAME
C.net rpc join machinename
D.pdbedit -a -m MACHINENAME
AnswerB

The -m flag indicates a machine account.

Why this answer

In a classic Samba PDC (Primary Domain Controller) setup, machine accounts are stored in the `smbpasswd` file (or tdbsam) and are added using `smbpasswd -a -m MACHINENAME`. The `-m` flag specifically indicates a machine account, which appends a `$` to the name and sets the appropriate flags for domain membership. This command creates the machine trust account that the client uses to join the domain.

Exam trap

The trap here is that candidates confuse the classic Samba PDC (NT4-style) commands with Samba 4 AD DC commands, or misuse client-side join commands (`net rpc join`) as server-side machine account creation commands.

How to eliminate wrong answers

Option A is wrong because `samba-tool domain add` is a command for Samba 4 AD DC (Active Directory Domain Controller) domains, not for a classic Samba PDC (NT4-style domain). Option C is wrong because `net rpc join` is used on a client machine to join a domain, not on the server to add a machine account. Option D is wrong because `pdbedit -a -m MACHINENAME` would attempt to add a machine account using the pdbedit tool, but the correct syntax is `pdbedit -a -u MACHINENAME$` (with a trailing dollar sign) and the `-m` flag is not valid for pdbedit; `smbpasswd -a -m` is the proper command for classic PDCs.

289
MCQhard

Your company runs a Samba file server (version 4.15) in a mixed environment with Windows 10 and Linux clients. The server is part of an Active Directory domain. Recently, a new security policy requires that all SMB connections use SMB3 encryption. You have configured 'smb encrypt = required' in the [global] section of smb.conf and restarted smbd. However, Windows clients report that they cannot connect to the server, while Linux clients can connect using mount.cifs with the 'seal' option. You check smb.conf and verify that 'server min protocol = SMB3' is set. What is the most likely cause of the Windows clients' inability to connect?

A.The 'server min protocol = SMB3' should be 'SMB2' to allow Windows 10 to negotiate SMB3
B.Windows clients do not have SMB encryption enabled by default, so they reject the required encryption
C.The Samba server must be joined to the domain again after changing encryption settings
D.The 'smb encrypt' parameter is deprecated and should be replaced by 'server smb encrypt'
AnswerB

SMB encryption must be enabled on Windows client side.

Why this answer

Windows 10 clients do not enable SMB encryption by default; they require the client to request encryption, but when the server sets 'smb encrypt = required', the server demands encryption on all connections. Windows clients without explicit encryption configuration (e.g., via Group Policy or registry) will fail to connect because they do not negotiate SMB3 encryption automatically. Linux clients succeed because mount.cifs with the 'seal' option explicitly requests encryption, matching the server's requirement.

Exam trap

The trap here is that candidates assume Windows clients automatically support and negotiate SMB3 encryption when the server requires it, overlooking that Windows clients need explicit configuration to enable encryption.

How to eliminate wrong answers

Option A is wrong because 'server min protocol = SMB3' is correct for requiring SMB3; Windows 10 supports SMB3 natively, and setting it to SMB2 would allow SMB2 connections, which is not the goal. Option C is wrong because changing encryption settings does not affect domain membership; rejoining the domain is unnecessary and would not resolve the encryption negotiation issue. Option D is wrong because 'smb encrypt' is not deprecated in Samba 4.15; 'server smb encrypt' is not a valid parameter—the correct parameter is 'smb encrypt'.

290
MCQmedium

A Linux client is configured to authenticate users against an LDAP server using PAM. Some users are unable to log in, while others succeed. The admin has verified that the LDAP server is reachable and that the user entries exist. Which of the following is the most likely cause?

A.The nsswitch.conf file is missing the 'ldap' entry for 'passwd'.
B.The pam_ldap configuration has a size limit that restricts search results.
C.The LDAP server is using different encryption settings.
D.The nslcd service is not running.
AnswerB

A size limit can cause some valid users to be omitted from search results, leading to intermittent failures.

Why this answer

Option B is correct because the pam_ldap configuration can include a size limit (e.g., 'pam_ldap size_limit 500') that restricts the number of entries returned from an LDAP search. When a user logs in, PAM may perform a search that returns multiple matching entries (e.g., due to ambiguous username or group membership lookups), and if the result set exceeds this limit, the search fails for some users. This explains why some users succeed while others fail, even though the LDAP server is reachable and user entries exist.

Exam trap

The trap here is that candidates often assume all authentication failures are due to network or service issues, but the question specifically states the LDAP server is reachable and user entries exist, so the cause must be a client-side configuration limit that affects only some users, such as a size limit in pam_ldap.

How to eliminate wrong answers

Option A is wrong because the nsswitch.conf file missing the 'ldap' entry for 'passwd' would cause all user lookups to fail, not just some users; it is a system-wide configuration issue. Option C is wrong because different encryption settings between the client and server would typically cause a connection failure for all users, not a partial login issue. Option D is wrong because if the nslcd service is not running, no LDAP authentication would work at all; the fact that some users can log in proves the service is operational.

291
MCQmedium

Refer to the exhibit. The DNS server at 192.0.2.1 is the primary for example.com. What does the 'lame server' message indicate?

A.The server received a query for an invalid domain.
B.The server is not configured to listen on the querying client's network.
C.The server does not consider itself authoritative for example.com.
D.The server is too busy to answer queries.
AnswerC

The server responded but does not have the zone, hence 'lame'.

Why this answer

A 'lame server' message in DNS indicates that a server has received a query for a domain for which it is configured as a nameserver (e.g., via NS records or delegation), but it does not consider itself authoritative for that domain. In this case, the DNS server at 192.0.2.1 is the primary for example.com, so the message means it is not configured with the zone data or does not have the zone loaded, thus it responds as non-authoritative.

Exam trap

The trap here is that candidates often confuse 'lame server' with a server being unreachable or overloaded, but it specifically refers to a delegation-authority mismatch where the server does not serve the zone it is expected to.

How to eliminate wrong answers

Option A is wrong because a 'lame server' message is not about invalid domains; it occurs when the server is authoritative according to delegation but lacks the zone data. Option B is wrong because the message does not relate to listening interfaces or network configuration; it is a DNS protocol-level error about authority. Option D is wrong because the message is not about server load or busyness; it is a specific DNS error indicating the server is not authoritative for the queried zone.

292
MCQhard

A company has a Linux client running Ubuntu 20.04 that is used by multiple developers. The client has two network interfaces: eth0 (connected to the corporate network with DHCP) and eth1 (connected to a test lab with static IP 192.168.100.10/24). The client needs to access both the internet (via eth0) and the lab network (192.168.100.0/24). The default gateway is 10.0.0.1 on eth0. The lab network has a server at 192.168.100.50 that provides DHCP for the lab devices, but the client's eth1 is statically configured. Recently, the client cannot reach the lab server at 192.168.100.50. The administrator checks the routing table and sees: Kernel IP routing table Destination Gateway Genmask Flags Metric Ref Use Iface 0.0.0.0 10.0.0.1 0.0.0.0 UG 100 0 0 eth0 10.0.0.0 0.0.0.0 255.255.255.0 U 100 0 0 eth0 192.168.100.0 0.0.0.0 255.255.255.0 U 100 0 0 eth1 The administrator can ping 192.168.100.50 from the client. However, the lab server cannot ping the client. What is the most likely cause?

A.The lab server's default gateway is misconfigured.
B.The client's firewall is blocking incoming ICMP echo requests.
C.The client has no route to the lab subnet.
D.The client's default gateway is misconfigured.
AnswerB

The client can initiate traffic but may block incoming connections, preventing the server from pinging back.

Why this answer

The client can ping the lab server (192.168.100.50), proving that outbound traffic from the client to the lab network works correctly. However, the lab server cannot ping the client, which indicates that either the return traffic is blocked or the client does not have a route back to the server. Since the client's routing table shows a direct route to 192.168.100.0/24 via eth1, the issue is not a missing route; instead, the most likely cause is that the client's firewall (e.g., iptables or ufw) is blocking incoming ICMP Echo Requests (ping) on eth1, while allowing outbound traffic.

Exam trap

The trap here is that candidates assume a successful ping from client to server implies full bidirectional connectivity, but they overlook that firewalls often block inbound ICMP while permitting outbound, leading to a one-way communication failure.

How to eliminate wrong answers

Option A is wrong because the lab server's default gateway is irrelevant for reaching the client on the same subnet (192.168.100.0/24); devices on the same broadcast domain communicate directly via ARP, not through a gateway. Option C is wrong because the routing table clearly shows a route to 192.168.100.0/24 via eth1 with a metric of 100, so the client does have a route to the lab subnet. Option D is wrong because the default gateway (10.0.0.1 on eth0) is correctly configured for internet access, and the client can reach the lab server, so the default gateway is not the issue.

293
Multi-Selecteasy

Which TWO configuration files are commonly used to specify DNS resolver settings on a Linux system? (Select TWO.)

Select 2 answers
A./etc/nsswitch.conf
B./etc/systemd/resolved.conf
C./etc/resolv.conf
D./etc/dhcp/dhclient.conf
E./etc/hosts
AnswersB, C

Configuration file for systemd-resolved, which can manage DNS settings.

Why this answer

Option B is correct because /etc/systemd/resolved.conf is the configuration file for systemd-resolved, a service that manages DNS resolution on modern Linux systems. Option C is correct because /etc/resolv.conf is the traditional configuration file for specifying DNS resolver settings, including nameserver addresses and search domains, and is still widely used.

Exam trap

The trap here is that candidates often confuse /etc/nsswitch.conf with DNS resolver configuration, but it only controls the lookup order (e.g., 'hosts: files dns') and does not contain nameserver addresses.

294
MCQeasy

A company wants to use Samba to share files with Windows clients. Which service must be enabled in Samba to support Windows Active Directory domain membership?

A.nmbd
B.smbd
C.swat
D.winbind
AnswerD

Winbind allows Samba to use Windows AD for authentication and identity mapping.

Why this answer

Winbind (winbindd) is the Samba service that integrates with Windows Active Directory by resolving user and group information from the domain controller. It uses the Microsoft Active Directory authentication protocol (Kerberos) and LDAP to map Windows domain users to local Unix accounts, enabling domain membership and single sign-on.

Exam trap

The trap here is that candidates often confuse the core file-sharing service (smbd) with the domain integration service (winbind), assuming smbd alone handles AD membership because it manages shares.

How to eliminate wrong answers

Option A is wrong because nmbd handles NetBIOS name resolution and browsing, not Active Directory domain membership. Option B is wrong because smbd provides file and print sharing services but does not handle domain authentication or user/group resolution from AD. Option C is wrong because swat is a web-based administration tool for Samba configuration, not a runtime service for domain membership.

295
MCQmedium

A Samba server is configured to authenticate users against an Active Directory domain using winbind. After joining the domain, some users report that they cannot access shares, while others can. The administrator runs 'wbinfo -u' and sees a list of domain users. However, 'getent passwd' does not show domain users. Which configuration parameter is most likely missing or misconfigured in /etc/samba/smb.conf?

A.winbind enum users = yes
B.winbind use default domain = yes
C.winbind nested groups = yes
D.idmap config * : backend = tdb
AnswerA

This enables getent passwd to list domain users.

Why this answer

The `wbinfo -u` command lists domain users because it queries the winbind daemon directly, which has successfully joined the AD domain. However, `getent passwd` does not show domain users because the Name Service Switch (NSS) module for winbind is not configured to enumerate users. The parameter `winbind enum users = yes` in smb.conf tells winbind to provide user enumeration to NSS, allowing commands like `getent passwd` to return domain users.

Without this, the NSS winbind module will not list domain users, even though authentication may work for known users.

Exam trap

The trap here is that candidates assume `wbinfo -u` and `getent passwd` should behave identically, but they do not realize that `wbinfo` bypasses NSS and directly queries winbind, while `getent` relies on NSS configuration and the `winbind enum users` parameter.

How to eliminate wrong answers

Option B is wrong because `winbind use default domain = yes` controls whether usernames are prefixed with the domain name (e.g., DOMAIN\user vs. user), but it does not affect whether domain users appear in `getent passwd`; it only simplifies login names. Option C is wrong because `winbind nested groups = yes` enables recursive group membership resolution for nested AD groups, which is unrelated to user enumeration via NSS. Option D is wrong because `idmap config * : backend = tdb` sets the default ID mapping backend to a local tdb file, which is necessary for mapping SIDs to Unix UIDs/GIDs but does not control whether users are listed by `getent passwd`; enumeration is governed by the `winbind enum users` parameter.

296
MCQhard

A company runs a critical web server on a custom-built Linux distribution. The server has been stable for months, but after a recent kernel update from version 5.10 to 5.15, the server experiences intermittent crashes. The crashes occur under heavy load and are accompanied by kernel oops messages mentioning a NULL pointer dereference in a network driver. The network driver is a third-party module that was compiled against the old kernel. The system administrator has recompiled the module against the new kernel, but the crashes persist. The server has 64 GB of RAM and uses a bonded network interface with two 10 GbE NICs. The kernel oops trace points to a function in the bonding driver. Which of the following is the most likely cause of the crashes?

A.Increase the system memory to reduce memory pressure.
B.Update the firmware on the network interface cards.
C.Check the kernel configuration changes between versions 5.10 and 5.15 that affect the bonding driver.
D.Recompile the network driver module with debugging enabled.
AnswerC

Kernel API changes in the bonding driver could cause the third-party module to dereference a NULL pointer.

Why this answer

Option C is correct because the crashes persist after recompiling the third-party network driver, and the oops trace points to the bonding driver. This indicates that the issue is likely due to changes in the kernel's internal APIs or data structures between versions 5.10 and 5.15 that affect the bonding driver, not the third-party module. The bonding driver is part of the kernel itself, so it must be compatible with the new kernel version; checking kernel configuration changes (e.g., modifications to `struct net_device`, bonding sysfs interfaces, or locking mechanisms) is the appropriate next step.

Exam trap

The trap here is that candidates assume recompiling the third-party module against the new kernel is sufficient, overlooking that the crash originates in the in-tree bonding driver, which must also be compatible with the kernel version and may require kernel configuration adjustments or backported patches.

How to eliminate wrong answers

Option A is wrong because increasing system memory does not address a NULL pointer dereference caused by a kernel API change; memory pressure is unrelated to the driver logic error. Option B is wrong because updating NIC firmware would not fix a kernel-level bug in the bonding driver; firmware handles low-level hardware operations, not kernel data structures. Option D is wrong because recompiling with debugging enabled only adds debug symbols and does not fix the underlying API incompatibility; the module was already recompiled against the new kernel, and debugging would not resolve the NULL pointer dereference in the bonding driver.

297
MCQeasy

A kernel module has been recompiled. Which command updates the module dependency information?

A.depmod
B.modprobe
C.insmod
D.modinfo
AnswerA

depmod generates modules.dep and map files needed by modprobe.

Why this answer

The `depmod` command is used to generate a list of module dependencies, stored in the modules.dep file, based on the symbols exported by each kernel module. After recompiling a module, this file becomes outdated, and running `depmod -a` (or simply `depmod`) rebuilds the dependency information so that tools like `modprobe` can correctly load modules and their prerequisites.

Exam trap

The trap here is that candidates often confuse `modprobe` (which loads modules and their dependencies) with `depmod` (which builds the dependency database), assuming that the tool that loads modules also updates the dependency information.

How to eliminate wrong answers

Option B is wrong because `modprobe` is used to load or unload kernel modules and their dependencies, but it does not update the dependency database itself; it relies on the pre-existing modules.dep file generated by `depmod`. Option C is wrong because `insmod` inserts a single module into the kernel without resolving dependencies, and it does not update any dependency metadata. Option D is wrong because `modinfo` displays information about a kernel module (such as author, description, and parameters) but does not modify or regenerate dependency information.

298
Multi-Selecteasy

Which two commands display information about LVM physical volumes? (Choose two.)

Select 2 answers
A.pvs
B.pvcreate
C.pvck
D.pvscan
E.pvdisplay
AnswersA, E

pvs provides a concise listing of physical volumes.

Why this answer

The `pvs` command (option A) provides a concise, configurable listing of all LVM physical volumes, showing key attributes like PV name, VG name, size, and free space. The `pvdisplay` command (option E) offers a detailed, verbose display of physical volume properties, including metadata areas, PE size, and allocation status. Both are standard LVM utilities for querying PV information.

Exam trap

The trap here is that candidates often confuse `pvscan` (which does display PVs after scanning) with a dedicated display command, but the LPIC-2 exam expects `pvs` and `pvdisplay` as the standard information-display tools, while `pvscan` is categorized as a scanning/discovery command.

299
MCQeasy

A DHCP client reports it cannot obtain an IP address. The Ethernet cable is connected and the interface is up. The administrator runs 'dhclient eth0' but gets 'No DHCPOFFERS received'. The network has a DHCP server on the same subnet. Which command should the administrator use next to diagnose the problem?

A.Run 'route -n' to see if a default route exists.
B.Run 'netstat -i eth0' to check packet errors.
C.Run 'tcpdump -i eth0 port 67 or port 68' to monitor DHCP packets.
D.Run 'ifconfig eth0' to check the interface status.
AnswerC

Captures DHCP traffic to identify issue.

Why this answer

Option C is correct because the client is not receiving DHCPOFFERs, indicating a network-level issue with DHCP traffic. Using tcpdump to capture packets on ports 67 (BOOTP server) and 68 (BOOTP client) allows the administrator to see if DHCPDISCOVER packets are leaving the client and whether any DHCPOFFER packets arrive from the server. This directly isolates whether the problem is a lack of server response, packet filtering, or a misconfigured relay agent.

Exam trap

The trap here is that candidates often jump to checking interface status or routing, but the core issue is that DHCP is a broadcast-based protocol on the local link, so packet capture is the definitive way to verify whether the client's DISCOVER is reaching the server and whether the server's OFFER is returning.

How to eliminate wrong answers

Option A is wrong because route -n shows the routing table, but the client is on the same subnet as the DHCP server, so routing is not involved in the initial DHCP handshake. Option B is wrong because netstat -i eth0 checks interface statistics like packet errors, but the interface is already confirmed up and connected, and packet errors would not prevent DHCPOFFERs from being received. Option D is wrong because ifconfig eth0 checks interface status, which the administrator already verified is up; repeating this command provides no new diagnostic information about DHCP traffic.

300
MCQhard

An administrator is troubleshooting network isolation in a Linux container environment. The container should have its own network stack, but it appears to be using the host's interfaces. Which command correctly runs a command inside a network namespace named 'ns1' to verify its network configuration?

A.nsenter -t 1234 -n ip addr show
B.ip netns exec ns1 ip addr show
C.unshare -n ip addr show
D.ip netns add ns1
AnswerB

Executes command in named network namespace.

Why this answer

Option B is correct because the `ip netns exec` command is specifically designed to execute a command within a given network namespace. In this scenario, `ip netns exec ns1 ip addr show` runs the `ip addr show` command inside the network namespace named 'ns1', allowing the administrator to verify that the container has its own network stack and is not using the host's interfaces.

Exam trap

The trap here is that candidates confuse `nsenter` with `ip netns exec`; while both can enter a network namespace, `nsenter` requires a process PID and does not directly support named namespaces, whereas `ip netns exec` is the correct tool for named network namespaces like 'ns1'.

How to eliminate wrong answers

Option A is wrong because `nsenter -t 1234 -n ip addr show` enters the network namespace of a process with PID 1234, not a named namespace like 'ns1'; it requires a running process PID and does not directly target a named network namespace. Option C is wrong because `unshare -n ip addr show` creates a new network namespace and runs the command in that new namespace, but it does not execute the command inside an existing namespace named 'ns1'; it would show the network configuration of a fresh, empty namespace, not the target one. Option D is wrong because `ip netns add ns1` only creates a new network namespace named 'ns1' but does not run any command inside it; it is a setup step, not a verification command.

Page 3

Page 4 of 7

Page 5

All pages