Linux Professional Institute Certification Level 2 LPIC-2 (LPIC-2) — Questions 301375

511 questions total · 7pages · All types, answers revealed

Page 4

Page 5 of 7

Page 6
301
MCQhard

A company runs a database server on Linux with a 4-disk RAID 10 array using mdadm. The server recently experienced a power outage. After reboot, the array is not assembling automatically. The administrator runs `mdadm --assemble --scan` and it fails with a message: 'mdadm: /dev/md0 has been found but is not a valid md superblock.' The administrator checks /proc/mdstat and sees no arrays. The disks /dev/sda, /dev/sdb, /dev/sdc, /dev/sdd are present. Running `mdadm --examine /dev/sda` shows no md superblock, but the disk contains data partitions. The administrator suspects that the superblock may be corrupted or that the disks were accidentally overwritten. The administrator has documentation that the array was created with the following parameters: RAID level 10, 4 disks, chunk size 512 KiB, metadata 1.2. What is the best course of action to recover the array?

A.Use `mdadm --create --level=10 --raid-devices=4 --chunk=512 --metadata=1.2 /dev/md0 /dev/sda /dev/sdb /dev/sdc /dev/sdd` without --assume-clean and then run fsck.
B.Run `mdadm --examine --scan` to probe for superblocks on all disks, then attempt recovery with --super-minor or --uuid.
C.Use `dd` to backup each disk's first few sectors, then use a data recovery tool.
D.Use `mdadm --create --level=10 --raid-devices=4 --chunk=512 --metadata=1.2 --assume-clean /dev/md0 /dev/sda /dev/sdb /dev/sdc /dev/sdd` and then mount.
AnswerD

--assume-clean writes new superblocks but does not modify data areas, preserving data.

Why this answer

Option D is correct because when the md superblock is missing or corrupted on all disks (as confirmed by `mdadm --examine` showing no superblock), the only way to recover the array is to recreate it with `--assume-clean`. This tells mdadm to trust that the data on the disks is already in a consistent RAID 10 layout without performing an initial resync, which would overwrite the existing data. The parameters must exactly match the original creation (RAID 10, 4 disks, chunk 512 KiB, metadata 1.2) to reconstruct the correct data mapping.

Exam trap

The trap here is that candidates mistakenly think `--create` always destroys data, but with `--assume-clean` it reconstructs the metadata without overwriting existing data, making it the correct recovery step when superblocks are lost.

How to eliminate wrong answers

Option A is wrong because `mdadm --create` without `--assume-clean` will initiate a full resync of the array, which would overwrite the existing data on the disks and destroy any chance of recovery. Option B is wrong because `mdadm --examine --scan` will not find superblocks if they are corrupted or missing, as already confirmed by the administrator; this option assumes superblocks are intact but just not being detected, which is not the case. Option C is wrong because using `dd` to backup the first few sectors is unnecessary and does not directly recover the array; data recovery tools are for filesystem-level recovery after the array is reassembled, not for fixing a missing superblock.

302
MCQhard

A Samba server uses 'security = domain' with an NT4-style domain. After a domain controller outage, users cannot authenticate. Which configuration change would allow fallback to local authentication?

A.Set 'domain master = no'
B.Set 'security = user' and 'passdb backend = tdbsam'
C.Set 'local master = yes'
D.Set 'preferred master = no'
AnswerB

Correct; switches to local authentication mode.

Why this answer

When a Samba server is configured with 'security = domain', it relies on a remote NT4-style domain controller for authentication. If the domain controller is unavailable, users cannot authenticate because Samba has no local fallback. Changing to 'security = user' and setting 'passdb backend = tdbsam' switches Samba to authenticate users against its own local password database (tdbsam), allowing authentication even when the domain controller is down.

Exam trap

The trap here is that candidates confuse Samba's browsing roles (domain master, local master, preferred master) with authentication modes, assuming a browsing parameter can provide authentication fallback.

How to eliminate wrong answers

Option A is wrong because 'domain master = no' controls whether Samba participates in NetBIOS domain master browser elections, not authentication fallback. Option C is wrong because 'local master = yes' determines if Samba advertises itself as a local master browser, unrelated to authentication. Option D is wrong because 'preferred master = no' influences browser election preferences, not authentication behavior.

303
Multi-Selecteasy

Which TWO daemons are commonly used by DHCP clients on Linux to obtain an IP address? (Choose two.)

Select 2 answers
A.dhclient
B.dhcpcd
C.dhcrelay
D.dhcpd
E.tcpdump
AnswersA, B

ISC DHCP client.

Why this answer

dhclient is the default DHCP client for many Linux distributions, including those based on Red Hat and Debian. It uses the DHCP protocol (RFC 2131) to discover, request, and lease an IP address from a DHCP server, configuring the network interface accordingly.

Exam trap

The trap here is confusing DHCP client daemons (dhclient, dhcpcd) with DHCP server or relay daemons (dhcpd, dhcrelay), as candidates may misidentify the role of each daemon based on similar naming conventions.

304
Multi-Selecteasy

Which TWO tools can be used to send test email messages from the command line?

Select 2 answers
A.netcat
B.sendmail
C.mail
D.mutt
E.telnet
AnswersB, C

sendmail can be used to send emails by piping input.

Why this answer

B is correct because the `sendmail` command can be used directly from the command line to inject a test email into the local MTA queue, bypassing a full MUA. It accepts a recipient address and message body via standard input, making it a reliable tool for testing mail delivery without a full mail client.

Exam trap

The trap here is that candidates confuse tools that can manually interact with SMTP (like `netcat` or `telnet`) with tools that are designed to send properly formatted email messages, leading them to select options that require manual protocol steps rather than automated mail injection.

305
MCQhard

An administrator wants to convert an ext4 filesystem to Btrfs without losing data. Which procedure should be used?

A.btrfs-convert /dev/sda1
B.mkfs.btrfs /dev/sda1
C.cp -a /mnt/ext4 /mnt/btrfs
D.btrfs device add /dev/sda1 /mnt
AnswerA

This command converts ext4 to Btrfs without data loss.

Why this answer

The correct procedure is to use `btrfs-convert /dev/sda1`, which is a dedicated tool that performs an in-place conversion of an existing ext2/3/4 filesystem to Btrfs while preserving all existing data. It works by creating a Btrfs filesystem that wraps the original ext4 data structures, then allowing a gradual migration to native Btrfs features via a background process.

Exam trap

The trap here is that candidates may confuse `btrfs-convert` with `mkfs.btrfs` or assume that a simple copy operation is sufficient, overlooking the fact that only `btrfs-convert` performs a true in-place filesystem conversion without data loss.

How to eliminate wrong answers

Option B is wrong because `mkfs.btrfs /dev/sda1` creates a new Btrfs filesystem from scratch, which would overwrite and destroy all existing data on the partition. Option C is wrong because `cp -a /mnt/ext4 /mnt/btrfs` is a manual file copy that requires both filesystems to be mounted simultaneously and does not convert the underlying filesystem; it also risks permission and metadata loss if not done with extreme care. Option D is wrong because `btrfs device add /dev/sda1 /mnt` adds a block device to an existing Btrfs filesystem, but it does not convert an ext4 filesystem; it would fail if the target is not already a Btrfs filesystem.

306
MCQhard

A Samba server is experiencing slow authentication for domain users. The logs show repeated winbind connections to the domain controllers. The administrator suspects that winbind is not caching credentials properly. Which parameter should be checked or increased to improve caching?

A.winbind rpc only
B.winbind offline logon
C.winbind cache time
D.winbind request timeout
AnswerC

This sets the number of seconds to cache authentication results.

Why this answer

The `winbind cache time` parameter controls how long winbindd caches user and group information retrieved from domain controllers. Increasing this value reduces the frequency of authentication requests to the DCs, improving performance. The default is 300 seconds; a higher value (e.g., 900 or 1800) can significantly reduce repeated connections.

Exam trap

The trap here is that candidates confuse `winbind offline logon` (which enables caching for offline scenarios) with `winbind cache time` (which controls how long cached data is considered valid), leading them to pick B instead of C.

How to eliminate wrong answers

Option A is wrong because `winbind rpc only` forces winbind to use only RPC (MS-RPC) for communication with domain controllers, which is slower and less efficient than using LDAP/Kerberos; it does not affect caching. Option B is wrong because `winbind offline logon` enables cached credentials for offline logon but does not control the duration or frequency of cache refreshes; it is about allowing logon when the DC is unreachable, not about reducing repeated connections. Option D is wrong because `winbind request timeout` sets the maximum time winbind waits for a response from a domain controller before timing out; it does not affect how long cached entries are kept.

307
Matchingmedium

Match each security tool to its function.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Packet filtering firewall using netfilter

Successor to iptables with improved syntax

Mandatory access control (MAC) system

Mandatory access control using profiles

Intrusion prevention by banning IPs based on logs

Why these pairings

These tools enhance Linux security.

308
Drag & Dropmedium

Arrange the steps to configure a Linux system as a PostgreSQL database server.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

Install, initialize, start, create user/database, then test.

309
MCQeasy

A system administrator needs to add a kernel module to the kernel at runtime without recompiling. Which command should be used?

A.insmod
B.rmmod
C.modprobe
D.depmod
AnswerA

insmod inserts a module directly.

Why this answer

The correct command is `insmod` because it inserts a kernel module into the running kernel without recompiling. It directly loads the specified module file (e.g., `.ko` file) into the kernel, making it available immediately. This is the standard low-level command for adding a single module at runtime.

Exam trap

The trap here is that candidates often confuse `modprobe` with `insmod` because both can load modules, but `modprobe` is the higher-level tool that handles dependencies and is more commonly used in practice, while `insmod` is the direct kernel insertion command specifically for adding a module at runtime without recompiling.

How to eliminate wrong answers

Option B (rmmod) is wrong because it removes a kernel module from the running kernel, not adds one. Option C (modprobe) is wrong because while it can add modules, it also handles dependencies and is typically used for loading modules with automatic dependency resolution, but the question specifies adding a module 'without recompiling' and `insmod` is the direct command for that purpose; `modprobe` is more high-level and can be used for the same task but is not the command that directly inserts a module file into the kernel. Option D (depmod) is wrong because it generates dependency information for kernel modules (creating modules.dep files) but does not load or add any module to the kernel.

310
MCQmedium

You are the administrator of a medium-sized company that runs its own authoritative DNS servers for the domain 'company.com'. The primary DNS server is a BIND9 master, and there are two slaves. Recently, you updated the zone file on the master to add a new subdomain 'lab.company.com' with an A record pointing to 10.0.0.10. After the update, you increased the serial number and ran 'rndc reload'. However, after several hours, some external clients report that they cannot resolve 'lab.company.com'. You check the master server and find that the zone file contains the new record. You also check the slave servers and find that they still have the old zone data. The serial number on the master is 2025011501, while the slaves show 2025011400. The master's syslog shows no errors. The slaves' syslogs show 'zone company.com/IN: Transfer started.' but no completion messages. Firewall rules allow TCP and UDP port 53 between all DNS servers. What should you do to resolve the issue?

A.Check the 'allow-transfer' ACL on the master; it might be restricting transfers to the slaves.
B.Increase the serial number again on the master to a higher value and wait for the slaves to refresh.
C.Restart the BIND service on the slave servers.
D.Run 'rndc notify company.com' on the master to force sending NOTIFY messages to the slaves.
AnswerD

This will cause the master to send NOTIFY messages to all configured slaves, prompting them to start a zone transfer.

Why this answer

Option D is correct because the master's syslog shows no errors and the slaves' logs indicate a transfer started but never completed, which suggests the NOTIFY messages were sent but the slaves may have missed or ignored them due to a transient issue. Running 'rndc notify company.com' forces the master to re-send NOTIFY messages to all configured slaves, prompting them to initiate a zone transfer immediately, which should update the stale zone data on the slaves.

Exam trap

The trap here is that candidates assume the serial number mismatch alone will eventually trigger a transfer via the slave's refresh timer, but the question emphasizes that hours have passed and the transfer started but never completed, indicating a stalled TCP connection that requires a forced NOTIFY to re-initiate the transfer.

How to eliminate wrong answers

Option A is wrong because the slaves' logs show 'Transfer started', which indicates the master allowed the transfer request; if 'allow-transfer' were blocking, the transfer would not have started at all. Option B is wrong because increasing the serial number again does not address the root cause—the slaves already have a lower serial number and should have initiated a transfer upon receiving a NOTIFY, but the transfer is stalling; a higher serial number will not fix the stalled transfer. Option C is wrong because restarting the BIND service on the slaves is unnecessary and disruptive; the slaves are running and attempting transfers, as shown by the 'Transfer started' logs, so a restart would only temporarily interrupt service without resolving the incomplete transfer.

311
MCQeasy

Refer to the exhibit. A user on the client tries to ping 'server1' and gets an unknown host error. What is the most likely cause?

A.The DNS server has no record for 'server1.example.com'.
B.The search domain is missing.
C.The DNS server IP is incorrect.
D.Only one nameserver is specified, causing a timeout.
AnswerA

The resolver will try to resolve 'server1.example.com' due to the search domain; if no record exists, it fails.

Why this answer

The error 'unknown host' indicates that the client's DNS resolution failed for the hostname 'server1'. Since the client likely uses a fully qualified domain name (FQDN) lookup or appends a search domain, the most common cause is that the DNS server does not have an A or AAAA record for 'server1.example.com'. Without a matching record, the resolver returns NXDOMAIN, leading to the 'unknown host' error.

Exam trap

The trap here is that candidates often confuse a DNS resolution failure due to a missing record (NXDOMAIN) with network connectivity issues or misconfigured resolvers, leading them to choose options like incorrect DNS server IP or timeout, when the actual cause is a lack of a DNS record for the queried hostname.

How to eliminate wrong answers

Option B is wrong because a missing search domain would cause the resolver to fail to append a domain suffix, but the client could still resolve 'server1' if it were a short name and the search list were empty; the error here is 'unknown host' for a name that likely includes the domain, so the search domain is not the primary issue. Option C is wrong because if the DNS server IP were incorrect, the client would typically get a 'connection timed out; no servers could be reached' error, not an 'unknown host' error, as the resolver would fail to contact any nameserver. Option D is wrong because having only one nameserver does not inherently cause a timeout; a timeout occurs only if that single server is unreachable, which would produce a different error message (e.g., 'Temporary failure in name resolution'), not 'unknown host'.

312
Multi-Selectmedium

Which TWO are best practices for securing an Apache web server?

Select 2 answers
A.Allow directory indexing for ease of navigation.
B.Disable directory listing using Options -Indexes.
C.Use .htaccess files for all access control.
D.Set ServerTokens to Prod to minimize version exposure.
E.Enable mod_info to monitor server status.
AnswersB, D

Prevents directory browsing, reducing information leakage.

Why this answer

Disabling directory listing (Option A) prevents attackers from browsing directory contents. Setting ServerTokens to Prod (Option C) minimizes version exposure in HTTP headers. Option B (mod_info) is not a security practice; it exposes sensitive information.

Option D (directory indexing) is insecure. Option E (using .htaccess for all access control) can degrade performance and is less secure than main configuration directives.

313
MCQhard

A company runs a web application on a Linux server that uses Apache, MySQL, and PHP. The application stores sensitive user data in a MySQL database. The security team has detected that the MySQL service is listening on port 3306 on all interfaces (0.0.0.0). The application and database are on the same server, so there is no need for remote database access. The administrator must secure the MySQL service without breaking the application. Which of the following is the most appropriate course of action?

A.Edit the MySQL configuration file (my.cnf) and set bind-address = 127.0.0.1, then restart the MySQL service.
B.Change the MySQL default port to a non-standard port to avoid automated scans.
C.Disable the MySQL network entirely by commenting out the 'skip-networking' directive in my.cnf.
D.Use iptables to add a rule dropping incoming packets to port 3306 from all IPs except 127.0.0.1.
AnswerA

This restricts MySQL to listen only on localhost, preventing remote connections.

Why this answer

Setting bind-address = 127.0.0.1 in the MySQL configuration file (my.cnf) instructs the MySQL server to listen only on the loopback interface, which prevents remote connections while still allowing local applications (Apache/PHP) to connect via the local socket or TCP to 127.0.0.1. This directly addresses the security concern of exposing the database on all interfaces without breaking the application, as the application and database reside on the same server.

Exam trap

The trap here is that candidates may confuse 'skip-networking' with disabling networking (option C) or think that changing the port (option B) is sufficient security, when in fact the core issue is the binding to all interfaces, which is directly solved by the bind-address directive.

How to eliminate wrong answers

Option B is wrong because changing the default port to a non-standard port does not prevent the service from listening on all interfaces; it only obscures the port from automated scans, but the service remains reachable from any network interface, which does not eliminate the remote access risk. Option C is wrong because commenting out the 'skip-networking' directive actually enables networking (the directive is typically set to disable networking), and disabling networking entirely would break the application if it relies on TCP connections to MySQL (e.g., via PHP's mysqli or PDO using 'localhost' which may default to TCP). Option D is wrong because while iptables can block incoming packets to port 3306 from non-loopback sources, this approach is less reliable and more complex than the configuration-based solution; it can be bypassed if iptables is not loaded or if rules are misordered, and it does not prevent MySQL from binding to all interfaces, which may still expose the service in certain network contexts (e.g., containers or virtual interfaces).

314
Multi-Selecthard

Which THREE conditions can cause a Linux DHCP client to fail to obtain an IP address? (Select THREE.)

Select 3 answers
A.A firewall on the client is blocking UDP port 67 (DHCP server).
B.The DHCP server is configured with a different subnet than the client's broadcast domain.
C.The DHCP server's address pool is exhausted.
D.The DHCP server has MAC address filtering enabled and the client's MAC is not allowed.
E.The client interface is configured with a static IP address.
AnswersA, C, D

DHCP uses UDP ports 67 and 68; blocking port 67 prevents the client from receiving DHCPOFFER messages.

Why this answer

Option A is correct because a client-side firewall blocking UDP port 67 prevents the DHCP client from receiving DHCPOFFER and DHCPACK messages from the server. DHCP uses UDP ports 67 (server) and 68 (client); blocking port 67 on the client disrupts inbound server responses, causing the client to fail to obtain an IP address.

Exam trap

The trap here is that candidates often assume a subnet mismatch (Option B) always prevents DHCP, but DHCP servers can offer addresses from different subnets if configured appropriately, and the client can accept them; the real failure condition is when the server cannot respond at all, such as with exhausted pools or MAC filtering.

315
Multi-Selecthard

Which THREE are valid values for the 'security' parameter in smb.conf? (Choose three.)

Select 3 answers
A.auto
B.ads
C.share
D.domain
E.user
AnswersB, D, E

Active Directory security mode.

Why this answer

Option B (ads) is correct because the 'security = ads' setting in smb.conf configures Samba to operate in Active Directory domain member mode, allowing it to join an Active Directory domain using Kerberos authentication and LDAP for identity resolution. This is a valid security mode for integrating Samba with Windows Active Directory environments.

Exam trap

The trap here is that candidates may confuse 'auto' with a valid automatic negotiation mode or assume 'share' is still valid, when in fact 'share' is deprecated and 'auto' was never a valid security setting in Samba.

316
MCQhard

A Samba server is configured as a domain member in an Active Directory environment. Users report that after changing their password on a Windows client, they cannot authenticate to Samba shares. The Samba server is using winbind and the 'idmap_ad' backend. What is the most likely cause?

A.The 'winbind offline logon' option is not enabled
B.Password changes are not replicated to the domain controller that Samba authenticates against
C.The winbind cache is outdated and needs to be cleared
D.The 'idmap backend' must be set to 'rid' instead of 'ad'
AnswerB

If the DC contacted hasn't received the updated password, authentication fails.

Why this answer

In an Active Directory domain member configuration, Samba authenticates against a specific domain controller (DC). When a user changes their password on a Windows client, the new password is initially written to the DC that processed the change. If the Samba server's winbind service is authenticating against a different DC that has not yet received the replicated password update, authentication will fail.

This is the most likely cause because password replication in AD is not instantaneous and depends on replication latency.

Exam trap

The trap here is that candidates often assume the issue is with local caching or ID mapping backends, when in fact the root cause is the asynchronous replication of password changes between domain controllers in a multi-DC environment.

How to eliminate wrong answers

Option A is wrong because 'winbind offline logon' controls cached credentials for offline access, not the replication of password changes between domain controllers. Option C is wrong because clearing the winbind cache would remove cached user/group mappings but would not fix a password mismatch caused by replication delay; the cache does not store passwords. Option D is wrong because the 'idmap backend' setting (ad vs. rid) affects how Unix IDs are mapped from AD attributes, not how password changes are replicated or authenticated.

317
MCQeasy

A client mounts the export with 'mount -t nfs server:/data /mnt/data' and root on the client can write files. Which option in /etc/exports allows root to retain its privileges?

A.root_squash
B.no_root_squash
C.rw
D.async
AnswerB

Root squashing is disabled, so root retains UID 0.

Why this answer

Option B (no_root_squash) is correct because it prevents the NFS server from mapping the client's root user (UID 0) to the anonymous 'nobody' user. By default, NFS exports use root_squash, which maps root to an unprivileged user for security. With no_root_squash, the client's root retains UID 0 on the server, allowing write access to files owned by root on the export.

Exam trap

The trap here is that candidates often confuse 'rw' (which enables write access) with the ability to retain root privileges, not realizing that root_squash is a separate, default mechanism that overrides rw for UID 0.

How to eliminate wrong answers

Option A (root_squash) is wrong because it is the default behavior that maps root to the anonymous user (typically 'nobody' or 'nfsnobody'), stripping root privileges — the opposite of what the question asks. Option C (rw) is wrong because it only grants read-write access to the export; it does not control UID mapping or root privilege retention. Option D (async) is wrong because it controls whether the server replies to write requests before data is written to stable storage, affecting performance and data integrity, not user privilege mapping.

318
MCQmedium

A server with multiple network cards needs a specific kernel module loaded before network configuration. Where should loading be configured for early boot?

A./boot/grub/grub.cfg
B./etc/modprobe.d/
C./etc/sysconfig/modules/
D./etc/modules-load.d/
AnswerD

Files in /etc/modules-load.d/ list modules to be loaded at boot by systemd.

Why this answer

Option D is correct because systemd-based systems use /etc/modules-load.d/ to specify kernel modules that must be loaded early in the boot process, before network configuration. Files in this directory are processed by systemd-modules-load.service, which runs before network services, ensuring the module is available when interfaces are brought up.

Exam trap

The trap here is that candidates often confuse /etc/modprobe.d/ (for module parameters and aliases) with /etc/modules-load.d/ (for specifying modules to load at boot), leading them to choose the wrong directory for early module loading.

How to eliminate wrong answers

Option A is wrong because /boot/grub/grub.cfg is the GRUB configuration file used for bootloader settings, not for loading kernel modules after the kernel is running. Option B is wrong because /etc/modprobe.d/ is for modprobe configuration (e.g., module aliases, options, blacklisting), not for specifying modules to load at boot. Option C is wrong because /etc/sysconfig/modules/ is a Red Hat/CentOS legacy directory for custom module-loading scripts, but it is not the standard systemd location and is not processed by systemd-modules-load.service.

319
MCQmedium

To ensure LDAP communication is encrypted, an administrator configures LDAP over SSL (LDAPS) on port 636. Which configuration file on the client should be modified to specify the LDAP server with TLS?

A./etc/pam_ldap.conf
B./etc/openldap/ldap.conf
C./etc/nsswitch.conf
D./etc/ldap/ldap.conf
AnswerD

This is the standard LDAP client configuration file.

Why this answer

Option D is correct because the LDAP client configuration file on Linux systems is typically located at /etc/ldap/ldap.conf (or /etc/openldap/ldap.conf on some distributions). This file is used by LDAP client libraries (e.g., libldap) to specify the LDAP server URI, including the use of TLS/SSL via the ldaps:// scheme or the TLS_REQCERT directive. Modifying this file allows the client to connect to an LDAP server over port 636 with encryption.

Exam trap

The trap here is that candidates often confuse the client configuration file path between distributions (e.g., /etc/openldap/ldap.conf vs. /etc/ldap/ldap.conf) or mistakenly choose /etc/pam_ldap.conf because it deals with authentication, but the question specifically asks for the file to specify the LDAP server with TLS, which is the generic client LDAP configuration file.

How to eliminate wrong answers

Option A is wrong because /etc/pam_ldap.conf is used by the PAM LDAP module for authentication configuration, not for specifying the LDAP server URI or TLS settings for general LDAP client operations. Option B is wrong because /etc/openldap/ldap.conf is the correct path on distributions using OpenLDAP (e.g., Red Hat, CentOS), but the question specifies /etc/ldap/ldap.conf as the correct answer, which is the path on Debian-based systems; however, the trap is that both paths exist, but the question explicitly marks D as correct, so B is not the intended answer. Option C is wrong because /etc/nsswitch.conf controls the order of name resolution services (e.g., files, ldap, dns) and does not contain LDAP server connection details or TLS configuration.

320
Multi-Selecthard

Which TWO are true about the autofs automounter configuration? (Choose two.)

Select 2 answers
A.Autofs mounts remain indefinitely once accessed.
B.Autofs uses /etc/fstab to define automount points.
C.The master configuration file is /etc/auto.master.
D.Autofs can only be used with NFS filesystems.
E.Direct maps are useful for mount points that are not under /net or /home.
AnswersC, E

Defines mount points and maps.

Why this answer

Option C is correct because the autofs automounter uses /etc/auto.master as its master configuration file. This file defines the base directories for automount points and references subordinate map files (e.g., /etc/auto.home) that specify the actual mount details. The automounter daemon (automount) reads this master file to determine which directories to manage and how to mount filesystems on demand.

Exam trap

The trap here is that candidates often confuse the master configuration file with /etc/fstab or assume autofs is NFS-only, while the exam tests knowledge of the specific master file (/etc/auto.master) and the flexibility of autofs to handle multiple filesystem types and map styles.

321
Multi-Selecteasy

Which TWO conditions must be met for a Linux bridge to forward Ethernet frames between its ports?

Select 2 answers
A.Traffic must be allowed by iptables FORWARD chain
B.The bridge must be in the 'up' state
C.At least two ports must be added to the bridge
D.The bridge must have an IP address configured
E.Spanning tree must be disabled
AnswersB, C

The bridge interface must be administratively up to forward frames.

Why this answer

Option B is correct because a Linux bridge must be in the 'up' administrative state (set via `ip link set br0 up`) to forward frames. Without the 'up' state, the bridge will not process or forward any Ethernet frames between its ports, regardless of other configurations.

Exam trap

The trap here is that candidates often assume a bridge needs an IP address to forward frames (Option D), confusing Layer 2 bridging with Layer 3 routing, or they think iptables must permit traffic (Option A) due to common firewall configurations on routers.

322
MCQeasy

To list all currently loaded kernel modules, which command is used?

A.lsmod
B.kmod -l
C.modlist
D.modules_loaded
AnswerA

lsmod lists all loaded kernel modules.

Why this answer

The correct command to list all currently loaded kernel modules is `lsmod`. It reads the `/proc/modules` file and displays the module name, size, used count, and a list of dependent modules. This is the standard and most direct method on Linux systems.

Exam trap

The trap here is that candidates may confuse `lsmod` with `modprobe` or `kmod` options, or assume a non-existent command like `modlist` is correct because it sounds plausible.

How to eliminate wrong answers

Option B is wrong because `kmod -l` is not a valid command; `kmod` is a helper program for managing kernel modules, but it does not have a `-l` flag to list loaded modules (the correct command for listing modules via kmod is `kmod list` or `lsmod`). Option C is wrong because `modlist` is not a standard Linux command; it does not exist in the kernel module management tools. Option D is wrong because `modules_loaded` is not a command; it is a conceptual term and there is no such executable or built-in command in Linux.

323
MCQhard

A technician is troubleshooting a system that fails to boot after adding a new SATA SSD and editing /etc/fstab. The error message is 'Kernel panic - not syncing: VFS: Unable to mount root fs on unknown-block(8,17)'. What is the most likely issue?

A.The root filesystem UUID in /etc/fstab is incorrect.
B.The kernel image is missing.
C.The kernel lacks SATA driver support.
D.The initramfs was not regenerated after adding the disk.
AnswerA

Incorrect UUID leads to unknown-block error.

Why this answer

The error 'unknown-block(8,17)' indicates the kernel cannot find the root filesystem. Block device 8,17 corresponds to /dev/sdb1 (major 8 for SCSI/SATA, minor 17). The most likely cause is an incorrect UUID in /etc/fstab, which prevents the system from mounting the root partition.

The kernel can see the device, but the mount fails because the UUID specified does not match any available partition.

Exam trap

The trap here is that candidates confuse a missing initramfs with an incorrect fstab entry, but the specific block device number proves the kernel sees the disk, so the issue is a mount configuration error, not a driver or initramfs problem.

How to eliminate wrong answers

Option B is wrong because a missing kernel image would cause a different error, such as 'No bootable device' or a GRUB failure, not a VFS mount panic. Option C is wrong because the kernel can identify the block device (8,17), proving SATA driver support is present; a missing driver would result in 'unknown-block(0,0)' or no device node. Option D is wrong because the initramfs is not involved in mounting the root filesystem from /etc/fstab; the initramfs only provides early userspace and drivers, but the root mount is handled by the kernel after pivot_root, and regenerating it would not fix an incorrect UUID in fstab.

324
MCQmedium

A company has a Linux server with two network interfaces: eth0 connected to the internal 192.168.1.0/24 network, and eth1 connected to the internet via a public IP of 203.0.113.10. The server runs a web server on port 80 and needs to allow internal clients to access the internet while hiding their private IPs (MASQUERADE). Additionally, external users should be able to reach the web server using the public IP. The administrator has enabled IP forwarding and configured iptables with the following rules: iptables -t nat -A POSTROUTING -o eth1 -j MASQUERADE iptables -A FORWARD -i eth0 -o eth1 -j ACCEPT iptables -A FORWARD -i eth1 -o eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT However, internal clients can access the internet, but external users cannot reach the web server. What should the administrator do to fix the issue?

A.Add a DNAT rule in the PREROUTING chain of the nat table to translate destination 203.0.113.10:80 to 192.168.1.100:80.
B.Add a FORWARD rule to allow new connections from eth1 to eth0.
C.Add a rule in the INPUT chain to accept traffic on port 80.
D.Change the MASQUERADE rule to SNAT with the public IP.
AnswerA

This will redirect incoming packets to the internal web server.

Why this answer

The current iptables rules perform SNAT/MASQUERADE for outbound traffic and allow forwarding of related/established inbound traffic, but they do not redirect incoming connections destined for the public IP (203.0.113.10:80) to the internal web server (e.g., 192.168.1.100:80). A DNAT rule in the PREROUTING chain of the nat table is required to translate the destination address and port, so that external packets are forwarded to the internal server and the response traffic is handled by the existing MASQUERADE rule.

Exam trap

The trap here is that candidates often confuse the need for DNAT with simply opening firewall rules (INPUT or FORWARD), forgetting that without destination address translation, the internal server never sees the packet as destined for itself.

How to eliminate wrong answers

Option B is wrong because adding a FORWARD rule to allow new connections from eth1 to eth0 would bypass the need for destination NAT; without DNAT, the packet's destination remains the public IP, which the internal network cannot route, so the connection would still fail. Option C is wrong because the INPUT chain controls traffic destined for the local server itself, not forwarded traffic; the web server is on a different internal host, so INPUT rules are irrelevant for forwarded packets. Option D is wrong because changing MASQUERADE to SNAT with the public IP would still only handle outbound source translation; it does not provide the required destination translation for inbound connections to the web server.

325
MCQmedium

Refer to the exhibit. What does the output indicate about the user John Doe's access to the file report.txt?

A.The user has a lease lock.
B.The user has a read lock with no deny mode.
C.The file is opened for writing.
D.The user has an exclusive write lock.
AnswerB

Correct; DENY_NONE and RDONLY indicate a non-exclusive read lock.

Why this answer

The output shows that John Doe has a read lock on report.txt with no deny mode, meaning other processes can still read the file while he holds the lock. This is indicated by the lock type 'R' (read) and the absence of a deny mode (deny mode 'NONE'). In Samba, a read lock with no deny mode allows concurrent read access but prevents write access from other clients.

Exam trap

LPI often tests the distinction between lock type and deny mode, where candidates confuse a read lock with no deny mode for an exclusive lock or assume any lock prevents all access, but the deny mode specifically controls what other clients can do.

How to eliminate wrong answers

Option A is wrong because a 'lease lock' is a different concept in Samba (used for oplocks/leases), not indicated by the output which shows a standard read lock. Option C is wrong because the file is opened for reading, not writing; the output shows 'R' for read lock, and the open mode would be 'r' or similar, not write. Option D is wrong because an exclusive write lock would be shown as 'W' or 'DENY_WRITE' with exclusive access, but the output shows a read lock with no deny mode, which is not exclusive.

326
MCQmedium

During boot, the system displays 'unable to mount root fs on unknown-block'. What is the most likely cause?

A.Corrupted init binary
B.Missing filesystem driver in initramfs
C.Wrong block device order
D.Incorrect root= parameter
AnswerB

The kernel cannot access the root filesystem because the necessary driver (e.g., ext4) is not loaded; it must be in the initramfs.

Why this answer

The error 'unable to mount root fs on unknown-block' indicates that the kernel cannot find a driver for the filesystem or block device containing the root filesystem. This typically occurs when the initramfs lacks the necessary kernel module (e.g., ext4, xfs, or a storage controller driver like ahci or nvme) to access the root device. The initramfs is responsible for loading essential drivers before the kernel mounts the real root filesystem; if the driver is missing, the mount fails.

Exam trap

The trap here is that candidates confuse a missing driver with a wrong root= parameter, but the error message 'unknown-block' specifically points to a driver/module issue, not a path or UUID mismatch.

How to eliminate wrong answers

Option A is wrong because a corrupted init binary would cause a different failure, such as a panic or kernel oops during init execution, not a block device mount error. Option C is wrong because block device order (e.g., /dev/sda vs /dev/sdb) is irrelevant when the root= parameter explicitly specifies the device; the kernel uses the given device path, not enumeration order. Option D is wrong because an incorrect root= parameter would produce an error like 'VFS: Cannot open root device' or 'unknown-block(0,0)', not the specific 'unknown-block' message, which indicates the driver is missing for a correctly specified device.

327
MCQmedium

An administrator wants to use /dev/sdb for a new ext4 filesystem. Which step must be performed first?

A.Mount /dev/sdb to a directory using mount.
B.Create the ext4 filesystem directly on /dev/sdb using mkfs.ext4.
C.Run partprobe /dev/sdb to update the kernel partition table.
D.Create a partition table on /dev/sdb using fdisk.
AnswerD

Correct: A partition must be created first; the disk has no partition table.

Why this answer

Option A is correct because the exhibit shows /dev/sdb without any partitions. Before creating a filesystem, a partition table must be created (e.g., using fdisk) and at least one partition defined. Option B would attempt to create a filesystem directly on the disk, which is possible but not typical and may cause issues with tools expecting partitions.

Option C (partprobe) is only needed after modifying the partition table. Option D (mount) would fail because no filesystem exists.

328
MCQmedium

Refer to the exhibit. A system administrator has configured the above in /etc/default/grub. After running update-grub, what will be the boot menu behavior?

A.The menu will be displayed for 10 seconds, then the default entry boots automatically.
B.The boot menu will be hidden for 0 seconds (i.e., not hidden), and the default entry boots immediately.
C.The menu will be displayed but with no timeout; it will wait indefinitely for user input.
D.The boot menu will be hidden unless Shift is pressed, and the default entry will boot after 10 seconds.
AnswerA

GRUB_HIDDEN_TIMEOUT=0 means no hidden menu, so the standard timeout applies and the menu is shown.

Why this answer

Option A is correct because the configuration shown in /etc/default/grub includes GRUB_TIMEOUT=10 and GRUB_TIMEOUT_STYLE=menu (or the default style if unset). After running update-grub, the boot menu will be displayed for 10 seconds, and then the default entry (set by GRUB_DEFAULT) will boot automatically. This is the standard behavior when GRUB_TIMEOUT is set to a positive integer and the timeout style is 'menu'.

Exam trap

The trap here is that candidates confuse GRUB_TIMEOUT with GRUB_HIDDEN_TIMEOUT, assuming a positive timeout always hides the menu or that a hidden menu is the default behavior, when in fact the default GRUB_TIMEOUT_STYLE is 'menu' and the timeout simply controls how long the menu is displayed before auto-booting.

How to eliminate wrong answers

Option B is wrong because GRUB_TIMEOUT=10 does not cause the menu to be hidden for 0 seconds; a hidden menu requires GRUB_TIMEOUT_STYLE=hidden or GRUB_TIMEOUT=0 with GRUB_HIDDEN_TIMEOUT, and the default entry would boot immediately only if GRUB_TIMEOUT=0. Option C is wrong because GRUB_TIMEOUT=10 sets a finite timeout of 10 seconds, not an indefinite wait; an indefinite wait requires GRUB_TIMEOUT=-1. Option D is wrong because hiding the menu unless Shift is pressed requires GRUB_TIMEOUT_STYLE=hidden along with GRUB_HIDDEN_TIMEOUT and GRUB_HIDDEN_TIMEOUT_QUIET, and the timeout of 10 seconds would apply to the hidden menu, not the displayed menu; the configuration shown does not include these hidden-menu directives.

329
MCQeasy

An administrator wants to encrypt a file so that only a specific recipient can decrypt it. Which GPG command should be used?

A.gpg --encrypt --recipient key-id file
B.gpg --symmetric file
C.gpg --clearsign file
D.gpg --sign file
AnswerA

This encrypts the file for the specified recipient's public key.

Why this answer

To encrypt for a specific recipient, use gpg --encrypt --recipient key-id file. --symmetric uses a passphrase, not a recipient. --sign only signs, --clearsign signs and encrypts? Actually --clearsign signs only.

330
MCQmedium

A user authenticates via LDAP successfully, but 'getent passwd' only shows local users. What is the problem?

A.The ldap entry should be before files.
B.The LDAP server is not responding for passwd queries.
C.The shadow map is missing LDAP.
D.The nscd cache needs to be cleared.
AnswerB

If the server doesn't respond, getent falls back to files after files.

Why this answer

Option B is correct because the user can authenticate via LDAP (which typically uses the 'auth' or 'account' NSS modules) but 'getent passwd' only shows local users, indicating that the NSS 'passwd' map is not querying the LDAP server. This means the LDAP server is either unreachable for passwd queries or the NSS configuration for the 'passwd' database is misconfigured (e.g., missing 'ldap' in /etc/nsswitch.conf for passwd). The successful authentication suggests the LDAP server is reachable for authentication purposes, but the passwd map query fails, often due to a separate LDAP server or service issue specific to user/group lookups.

Exam trap

The trap here is that candidates assume successful authentication implies all LDAP services are working, but LPIC-2 tests the distinction between NSS maps (passwd, group) and PAM modules (auth, account), where a failure in the passwd map query does not prevent authentication if the LDAP server responds to bind requests.

How to eliminate wrong answers

Option A is wrong because placing 'ldap' before 'files' in /etc/nsswitch.conf would change the order of lookups but would not cause 'getent passwd' to show only local users if the LDAP server is actually responding; the problem is that the LDAP server is not responding for passwd queries, not the order. Option C is wrong because the shadow map (for password hashes) is irrelevant to 'getent passwd', which displays user account information from the passwd database, not shadow entries; missing LDAP in shadow would affect authentication, not the passwd listing. Option D is wrong because clearing the nscd cache would only help if stale cached data were causing the issue, but the scenario describes a complete absence of LDAP users in the output, which indicates the LDAP server is not responding for passwd queries, not a caching problem.

331
MCQeasy

A company requires link aggregation between a Linux server and a switch to increase throughput and provide redundancy. The switch supports only standard 802.3ad (LACP). Which bonding mode should be configured on the Linux server?

A.mode=2 (balance-xor)
B.mode=1 (active-backup)
C.mode=3 (broadcast)
D.mode=0 (balance-rr)
E.mode=4 (802.3ad)
AnswerE

Standard LACP mode for switch configuration.

Why this answer

Option E is correct because mode=4 (802.3ad) implements the IEEE 802.3ad standard for Link Aggregation Control Protocol (LACP). This mode requires the switch to support LACP, which the scenario states, and provides both increased throughput through load balancing and redundancy through automatic failover if a link fails.

Exam trap

The trap here is that candidates often confuse mode=0 (balance-rr) or mode=2 (balance-xor) as being compatible with 802.3ad, but only mode=4 implements the actual LACP protocol required by the standard.

How to eliminate wrong answers

Option A is wrong because mode=2 (balance-xor) uses a static XOR hash for load balancing without any negotiation protocol, so it cannot interoperate with a switch that requires standard 802.3ad LACP. Option B is wrong because mode=1 (active-backup) provides only redundancy, not increased throughput, as only one link is active at a time. Option C is wrong because mode=3 (broadcast) transmits all traffic on every slave link, which does not increase throughput and violates the 802.3ad requirement for load balancing.

Option D is wrong because mode=0 (balance-rr) uses round-robin packet transmission without any LACP negotiation, making it incompatible with a switch that expects standard 802.3ad.

332
MCQhard

A company runs a high-frequency trading application that requires extremely low latency. The system administrator has compiled a custom Linux kernel with various real-time patches and tuned kernel parameters. After deploying the new kernel, the application performance degrades significantly. The administrator suspects that kernel preemption settings are causing context switch overhead. Which of the following actions should the administrator take to diagnose and optimize the kernel preemption model?

A.Use sysctl to set 'kernel.preempt_model' to 'none'
B.Add 'preempt=none' to the kernel command line
C.Check /proc/sched_debug for preemption counters and adjust the kernel's preemption model by recompiling with CONFIG_PREEMPT_NONE instead of CONFIG_PREEMPT
D.Change the kernel preemption model at runtime by writing to /sys/kernel/preempt_control
AnswerC

The preemption model (none, voluntary, full) is a compile-time config; /proc/sched_debug reveals preemption activity.

Why this answer

Option C is correct because the kernel preemption model is a compile-time configuration, not a runtime parameter. To change from CONFIG_PREEMPT (full preemption) to CONFIG_PREEMPT_NONE (no forced preemption), the administrator must recompile the kernel with the appropriate configuration. Checking /proc/sched_debug can reveal preemption-related counters and context switch statistics, helping confirm that excessive preemption is causing overhead.

Exam trap

The trap here is that candidates assume kernel parameters can be changed at runtime via sysctl or /sys files, but the preemption model is a static compile-time choice unless the kernel is built with CONFIG_PREEMPT_DYNAMIC, which is not indicated in this scenario.

How to eliminate wrong answers

Option A is wrong because there is no sysctl parameter named 'kernel.preempt_model'; the preemption model is not adjustable via sysctl. Option B is wrong because 'preempt=none' is not a valid kernel command-line parameter; the correct parameter would be 'preempt=none' only if the kernel was compiled with support for runtime selection (e.g., CONFIG_PREEMPT_DYNAMIC), but the question states the kernel was compiled with real-time patches and tuned parameters, implying a static build. Option D is wrong because there is no /sys/kernel/preempt_control file; the preemption model cannot be changed at runtime on a standard Linux kernel without dynamic preemption support.

333
MCQmedium

A system has multiple kernels installed. Which command shows the version of the currently booted kernel?

A.rpm -qa | grep kernel
B.uname -r
C.cat /proc/version
D.ls /boot
AnswerB

uname -r prints just the kernel release of the currently running kernel.

Why this answer

The `uname -r` command specifically displays the kernel release (version) of the currently running operating system. It reads this information directly from the `/proc/sys/kernel/osrelease` virtual file, which is populated by the kernel at boot time. This makes it the most direct and reliable method to identify the active kernel version.

Exam trap

The trap here is that candidates often confuse listing installed kernels (via package managers or `/boot`) with identifying the currently running kernel, leading them to pick options like `rpm -qa | grep kernel` or `ls /boot`.

How to eliminate wrong answers

Option A is wrong because `rpm -qa | grep kernel` lists all installed kernel packages in the RPM database, not the currently booted kernel. Option C is wrong because `cat /proc/version` shows the kernel version along with additional build information (like compiler and build date), but it is not the standard command for quickly retrieving just the version string; `uname -r` is the canonical tool. Option D is wrong because `ls /boot` lists the files in the boot directory, including multiple kernel images and initramfs files, but does not indicate which one is currently loaded.

334
MCQmedium

Refer to the exhibit. A client with MAC address 08:00:27:ab:cd:ef on the 192.168.1.0/24 network receives IP 192.168.2.10 instead of an IP from the 192.168.1.0 subnet. What is the most likely explanation?

A.The relay agent is misconfigured and forwards requests to the wrong subnet.
B.The client's network interface is set to a static IP address.
C.The server's host declaration assigns a fixed-address from a different subnet.
D.The client sent a DHCP request with an incorrect subnet mask.
AnswerC

Correct. The host entry for the client's MAC assigns an IP from 192.168.2.0, overriding the subnet automation.

Why this answer

The host declaration for MAC 08:00:27:ab:cd:ef assigns a fixed-address of 192.168.2.10, which belongs to a different subnet. This overrides the dynamic range assignment, causing the client to receive an IP outside its expected subnet. Other options are less likely because the server log would not show a request causing this cross-subnet assignment without the host entry.

335
MCQhard

A Linux router running multiple routing tables is misconfigured. The administrator wants to add a policy routing rule that sends all traffic from subnet 10.10.0.0/16 to routing table 200. Which command should be used?

A.route add -net 10.10.0.0/16 table 200
B.ip rule add from 10.10.0.0/16 table 200
C.iptables -A FORWARD -s 10.10.0.0/16 -j table 200
D.ip route add 10.10.0.0/16 dev eth0 table 200
AnswerB

Creates a routing policy rule based on source address.

Why this answer

Option B is correct because the `ip rule` command is used to add policy routing rules in Linux, which direct packets to specific routing tables based on criteria like source address. The `from` parameter specifies the source subnet (10.10.0.0/16), and `table 200` directs matching traffic to routing table 200, enabling policy-based routing beyond the default table.

Exam trap

The trap here is that candidates confuse adding a route to a table (ip route add ... table 200) with creating a policy rule that directs traffic to that table (ip rule add ... table 200), leading them to pick option D instead of B.

How to eliminate wrong answers

Option A is wrong because `route add` is a legacy command that does not support a `table` parameter; it only modifies the main routing table and cannot add policy rules. Option C is wrong because `iptables` is a firewall tool that filters or modifies packets, not a routing policy mechanism; the `-j table 200` target does not exist in iptables. Option D is wrong because `ip route add` adds a static route to a specific table, but it does not create a policy rule to select that table based on source address; it only populates the table with a route entry.

336
Multi-Selectmedium

An administrator needs to configure Samba to allow guest access to a share. Which two parameters must be set?

Select 2 answers
A.security = share
B.guest account = nobody
C.guest ok = yes in the share definition
D.map to guest = Bad User in the [global] section
AnswersC, D

This enables guest access for the share.

Why this answer

Option C is correct because setting `guest ok = yes` in the share definition explicitly allows guest (anonymous) access to that specific Samba share. Without this parameter, the share will require authentication even if other guest-related settings are configured globally.

Exam trap

The trap here is that candidates often think `security = share` alone enables guest access, but that parameter is obsolete and does not actually allow anonymous connections without `guest ok = yes` and `map to guest = Bad User`.

337
MCQeasy

Which file contains the filesystem table that is read during system boot to mount filesystems?

A./etc/mtab
B./proc/mounts
C./etc/mounts
D./etc/fstab
AnswerD

fstab is read at boot to mount filesystems.

Why this answer

Option D is correct because /etc/fstab is the filesystem table file that is read by the system during boot (via mount -a or systemd-fstab-generator) to automatically mount filesystems. It contains entries specifying devices, mount points, filesystem types, mount options, dump and pass fields, and is the standard configuration file for static filesystem mounting.

Exam trap

The trap here is that candidates confuse /etc/fstab (the static boot-time configuration) with /etc/mtab (the dynamic runtime mount list) or /proc/mounts (the kernel's current view), especially since /etc/mtab is often a symlink to /proc/self/mounts on modern systems.

How to eliminate wrong answers

Option A is wrong because /etc/mtab is a dynamically maintained file that lists currently mounted filesystems, not a configuration file read during boot; it is updated by the mount command and often a symlink to /proc/self/mounts on modern systems. Option B is wrong because /proc/mounts is a virtual filesystem (procfs) that shows the kernel's current mount table, not a persistent configuration file read at boot. Option C is wrong because /etc/mounts does not exist as a standard file; the correct configuration file is /etc/fstab, and /etc/mtab is the runtime mount list.

338
Multi-Selecthard

Which THREE of the following are valid methods to restrict access to the su command on a Linux system?

Select 2 answers
A.Set the SU_WHEEL_ONLY variable in /etc/login.defs.
B.Modify /etc/shells to include only approved shells.
C.Configure sudoers to allow only specific users to run su.
D.Edit the /etc/suauth file to specify allowed users.
E.Add the user to the 'wheel' group and configure pam_wheel.so in /etc/pam.d/su.
AnswersD, E

Legacy method, still works on some systems.

Why this answer

Option D is correct because the /etc/suauth file (used by some Linux distributions with the 'su' command from the 'shadow' suite) allows you to specify which users or groups are permitted to use su, providing a direct access control mechanism. Option E is correct because configuring pam_wheel.so in /etc/pam.d/su with the 'wheel' group restricts su access to only members of that group, a standard PAM-based method.

Exam trap

LPI often tests the misconception that /etc/login.defs or /etc/shells can restrict su, when in reality these files serve different purposes (login defaults and shell validation) and are not used for su access control.

339
MCQeasy

A company has two BIND DNS servers, a primary and a secondary. The secondary fails to receive zone updates. Which command can be used to check if the primary allows zone transfers to the secondary?

A.dig axfr example.com @primary
B.host -l example.com primary
C.dig -x 192.0.2.1 @primary
D.nslookup -type=any example.com primary
AnswerA

dig axfr requests the full zone from the primary, allowing verification of transfer permissions.

Why this answer

The `dig axfr example.com @primary` command performs an AXFR (full zone transfer) request against the primary DNS server. If the primary allows zone transfers to the secondary, the command will return the entire zone file; if it is denied, it will return a 'Transfer failed' or 'refused' message. This directly tests the allow-transfer ACL configuration on the primary, which is the most common cause of secondary servers failing to receive zone updates.

Exam trap

The trap here is that candidates confuse a simple DNS query (like `dig -x` or `nslookup -type=any`) with a zone transfer request, not realizing that only AXFR (or IXFR) can verify whether the primary server is configured to allow the secondary to pull the full zone data.

How to eliminate wrong answers

Option B is wrong because `host -l example.com primary` attempts a zone transfer using the `-l` (list) option, but this command is not universally supported across all BIND versions and may fail or behave inconsistently; `dig axfr` is the standard, reliable tool. Option C is wrong because `dig -x 192.0.2.1 @primary` performs a reverse DNS lookup (PTR record query), not a zone transfer, so it cannot verify whether zone transfers are allowed. Option D is wrong because `nslookup -type=any example.com primary` queries for any record type but does not perform a full zone transfer (AXFR); it only returns individual records, not the entire zone, and thus cannot confirm transfer permissions.

340
MCQmedium

A developer compiled a custom kernel version 5.15.10 and ran 'make modules_install' followed by 'make install' on a system using GRUB 2. After rebooting, the system still boots the old kernel. Which of the following is the most likely cause?

A.The kernel version string is too long for GRUB 2
B.The kernel image was not copied to /boot because the disk was full
C.The initramfs was not created for the new kernel
D.The boot loader configuration was not updated
AnswerD

The most common issue is that the boot loader configuration (e.g., GRUB) was not updated to include the new kernel entry.

Why this answer

After running 'make install', the GRUB 2 bootloader configuration file (usually /boot/grub/grub.cfg) is not automatically regenerated. The 'make install' target copies the kernel image and System.map to /boot, but it does not run update-grub or grub-mkconfig to add the new kernel entry. Without an updated bootloader configuration, GRUB 2 continues to boot the old kernel entry, even though the new kernel files are present.

Exam trap

The trap here is that candidates assume 'make install' fully integrates the new kernel into the boot process, when in fact it only places the files and relies on a separate step to update the bootloader configuration.

How to eliminate wrong answers

Option A is wrong because GRUB 2 supports kernel version strings up to 255 characters, and '5.15.10' is well within that limit. Option B is wrong because if the disk were full, 'make install' would fail with an error message, and the system would not silently skip copying; the question states the commands ran without error. Option C is wrong because initramfs is not required for booting a kernel; the kernel can boot without it (though it may lack drivers), and its absence does not prevent GRUB from selecting the new kernel entry.

341
Multi-Selecthard

Which three steps are required to build a kernel module from source located outside the kernel tree? (Choose three.)

Select 3 answers
A.Run 'make modules_install'.
B.Run 'make' in the module source directory.
C.Run 'depmod -a'.
D.Edit the kernel configuration.
E.Use the kernel's top-level Makefile.
AnswersA, B, C

This installs the compiled module to /lib/modules/$(uname -r)/.

Why this answer

Option A is correct because 'make modules_install' copies the compiled kernel module (.ko file) to the appropriate directory under /lib/modules/$(uname -r)/, making it available for loading. This step is essential after building a module from external source to ensure it is installed in the correct location for the running kernel.

Exam trap

The trap here is that candidates often think editing the kernel configuration or using the top-level Makefile is necessary for external modules, but in reality, external modules only need the kernel headers and a properly written Makefile that invokes the kernel build system.

342
Multi-Selecthard

Which THREE factors can cause a kernel panic during boot? (Select THREE.)

Select 3 answers
A.Too many kernel modules loaded
B.Corrupted kernel image
C.Hardware incompatibility
D.Filesystem errors on the root partition
E.Missing device drivers for storage controllers
AnswersB, C, E

A corrupted vmlinuz or bzImage can cause a panic during decompression or execution.

Why this answer

A corrupted kernel image (Option B) is a direct cause of kernel panic during boot because the bootloader (e.g., GRUB) loads the kernel into memory, and if the binary is damaged (e.g., due to disk errors or incomplete update), the CPU will attempt to execute invalid instructions, triggering a fatal kernel panic. The kernel performs integrity checks early in startup, and any mismatch between expected and actual code will halt the system with a panic message.

Exam trap

The trap here is that candidates often confuse 'kernel panic' with 'boot failure' and incorrectly select filesystem errors (Option D) as a direct cause, when in fact filesystem issues typically lead to a recovery shell or initramfs failure, not a kernel panic.

343
MCQmedium

A system administrator wants to allow the user 'jdoe' to run the '/usr/bin/systemctl restart httpd' command on a specific server without a password prompt. Which sudoers entry achieves this?

A.jdoe ALL=(ALL) /usr/bin/systemctl restart httpd
B.jdoe ALL=(ALL) NOPASSWD: /usr/bin/systemctl restart httpd
C.user ALL=(ALL) NOPASSWD: /usr/bin/systemctl restart httpd
D.jdoe ALL=(ALL) ALL
AnswerB

Grants passwordless execution of the specific command.

Why this answer

Option C is correct because it grants permission for the exact command without password (NOPASSWD). Option A is wrong because it does not specify the command. Option B is wrong because it requires a password.

Option D is wrong because it uses the wrong syntax 'user' instead of 'jdoe'.

344
MCQmedium

A data center administrator is troubleshooting a server that hangs during boot after a kernel update. The server uses UEFI and GRUB 2. The administrator observes that the server displays the GRUB menu, selects the new kernel entry, but then the screen goes blank and the system does not respond. The administrator can boot the previous kernel from the GRUB menu successfully. Which of the following is the most likely cause of this issue?

A.The initramfs for the new kernel was not generated
B.Secure Boot is enabled and the new kernel is not signed
C.The new kernel's root= parameter points to an invalid device
D.The new kernel includes a graphics driver that conflicts with the hardware, causing the display to blank
AnswerD

A common cause of blank screen after GRUB is a framebuffer or graphics driver issue, often resolved by adding 'nomodeset' to the kernel command line.

Why this answer

Option D is correct because the blank screen after selecting the new kernel, while the old kernel works, strongly indicates a graphics driver conflict. In GRUB 2 with UEFI, the kernel may switch from the UEFI framebuffer to a native graphics driver (e.g., nouveau, i915, amdgpu) that fails to initialize on the specific hardware, causing the display to go blank. The system is not truly hung; it continues booting without console output, which is a known issue with incompatible or buggy kernel graphics drivers.

Exam trap

The trap here is that candidates often assume a blank screen means the kernel didn't load at all, leading them to choose Secure Boot or initramfs issues, but the fact that the old kernel works and the new kernel is selected from GRUB points to a driver-level failure after kernel handoff.

How to eliminate wrong answers

Option A is wrong because if the initramfs were missing, the kernel would panic with a 'Kernel panic - not syncing: VFS: Unable to mount root fs' error, not a blank screen. Option B is wrong because Secure Boot prevents the kernel from loading at all, showing a 'Verification failed' error or refusing to boot the entry, not a blank screen after selection. Option C is wrong because an invalid root= parameter would cause a kernel panic during root mount, typically displaying an error message on the console before the system hangs, not a blank screen immediately after kernel selection.

345
MCQeasy

A user wants to mount a Samba share on a Linux client using the command line. Which utility is used for that purpose?

A.mount.cifs
B.mount.smb
C.mount -t smbfs
D.smbclient
AnswerA

Correct; mount.cifs is the standard tool for mounting Samba shares.

Why this answer

The correct utility is mount.cifs, which is part of the cifs-utils package. It mounts Samba (SMB/CIFS) shares on Linux clients by using the Common Internet File System (CIFS) protocol, the modern implementation of SMB. The mount command with -t cifs internally calls mount.cifs, making it the standard tool for this purpose.

Exam trap

The trap here is that candidates confuse the deprecated smbfs filesystem type (mount -t smbfs) with the current cifs implementation, or they mistake smbclient (an interactive tool) for a mounting utility.

How to eliminate wrong answers

Option B (mount.smb) is wrong because no such standard utility exists; the correct command is mount.cifs, not mount.smb. Option C (mount -t smbfs) is wrong because smbfs is an older, deprecated filesystem type that was replaced by cifs in the Linux kernel; modern distributions require -t cifs instead. Option D (smbclient) is wrong because it is an FTP-like client for interacting with Samba shares interactively or for file transfers, not for mounting a share as a local filesystem.

346
Multi-Selectmedium

Which two utilities can be used to load kernel modules? (Choose two.)

Select 2 answers
A.modprobe
B.modinfo
C.lsmod
D.depmod
E.insmod
AnswersA, E

modprobe loads modules with automatic dependency resolution.

Why this answer

modprobe is correct because it is the primary utility for loading kernel modules, including handling module dependencies automatically by consulting the modules.dep file generated by depmod. insmod is also correct because it directly inserts a single module into the kernel, though it does not resolve dependencies automatically.

Exam trap

The trap here is that candidates often confuse modinfo or lsmod as module-loading tools because they are commonly used alongside module management, but they only provide information or listing, not loading.

347
MCQhard

A system administrator configures a Linux client to authenticate users via an LDAP directory directory for user login. The LDAP server is located on a remote network across a WAN link with moderate latency. Authentication succeeds, but user logins take 10-15 seconds to complete, causing delays. The LDAP server logs show low CPU usage and minimal queries per second. The client has not yet implemented any local caching services. The administrator wants to reduce the login delay without compromising security. What should the administrator do?

A.Disable LDAP TLS encryption to reduce cryptographic overhead.
B.Change the file ownership of /etc/pam.d/common-auth to root to force direct LDAP reads.
C.Enable nscd (Name Service Cache Daemon) to cache passwd, group, and services lookups.
D.Increase the number of LDAP server threads to handle concurrent requests faster.
AnswerC

Correct. nscd caches name service requests, including LDAP queries, drastically reducing the number of WAN round-trips and speeding up authentication.

Why this answer

Enabling nscd caches user and group information, which reduces the number of LDAP queries and significantly speeds up logins. Other options are less effective or introduce security risks. Increasing server threads does not address client-side delays.

Disabling TLS is a security risk. Changing file ownership is irrelevant.

348
MCQeasy

A system administrator is troubleshooting a hardware issue that occurs during boot. To monitor the kernel messages in real-time, which command should be run?

A.journalctl -f
B.tail -f /var/log/kern.log
C.dmesg -w
D.less /var/log/messages
AnswerC

dmesg -w shows kernel ring buffer messages in real-time; it's the standard tool for kernel messages.

Why this answer

Option C is correct because `dmesg -w` (or `dmesg --follow`) provides real-time monitoring of kernel ring buffer messages, which is essential for troubleshooting hardware issues during boot. The `-w` flag waits for new messages and prints them as they appear, similar to `tail -f`, but specifically for kernel messages. This command directly accesses the kernel ring buffer via `/dev/kmsg`, ensuring you see hardware-related errors, driver messages, and device initialization logs as they occur.

Exam trap

The trap here is that candidates confuse `journalctl -f` (which shows all logs including kernel ones) with the more direct `dmesg -w` for kernel-specific real-time monitoring, especially during early boot when systemd may not be fully operational.

How to eliminate wrong answers

Option A is wrong because `journalctl -f` follows the systemd journal in real-time, which includes kernel messages but also user-space logs; it is not the most direct or minimal command for monitoring kernel messages specifically during boot, and it requires systemd to be running. Option B is wrong because `tail -f /var/log/kern.log` relies on a log file that may not exist or be updated in real-time during early boot (e.g., before the logging daemon starts), and it is not a direct interface to the kernel ring buffer. Option D is wrong because `less /var/log/messages` is a static view of a log file that may contain kernel messages but does not provide real-time monitoring, and the file may not be available or updated during boot.

349
Multi-Selecteasy

Which THREE of the following are correct about RAID 1 in mdadm? (Select THREE)

Select 3 answers
A.It provides striping.
B.It can have a hot spare.
C.It requires at least 2 disks.
D.It provides mirroring.
E.It uses a bitmap for resync.
AnswersB, C, D

Hot spare can be configured.

Why this answer

RAID 1 in mdadm provides mirroring, where data is written identically to two or more disks. A hot spare is supported: if a disk fails, mdadm automatically rebuilds the mirror onto the spare. This requires at least 2 disks to form the mirror.

Exam trap

The trap here is that candidates often confuse RAID 1 with RAID 0 or RAID 5, assuming striping or mandatory bitmaps are part of RAID 1, when in fact mirroring and hot spare support are the key characteristics tested.

350
MCQhard

A user 'bob' is unable to save changes to report.doc. Based on the exhibit, what is the most likely reason?

A.The oplock is set to NONE causing conflicts.
B.Bob does not have permission on the filesystem.
C.Alice has the file open with a deny-write lock.
D.The share is configured as read-only.
AnswerC

DENY_WRITE mode prevents other users from opening the file with write access.

Why this answer

Option C is correct because the exhibit shows that Alice has the file open with a deny-write lock, which prevents any other user (including Bob) from writing to the file. In Samba, this is enforced by the share mode locking mechanism, where a deny-write share access request from Alice blocks subsequent write attempts by Bob until Alice closes the file.

Exam trap

The trap here is that candidates often confuse filesystem permissions (like chmod or ACLs) with SMB share-level locks, assuming a permission error when the real issue is a file lock held by another user.

How to eliminate wrong answers

Option A is wrong because oplocks (opportunistic locks) are a client-side caching optimization that can improve performance, but they do not directly prevent a user from saving changes; an oplock set to NONE would simply disable caching, not cause a conflict that blocks writes. Option B is wrong because the exhibit does not indicate any filesystem permission issue; Bob's inability to save is due to a file lock, not a lack of read/write permissions on the underlying filesystem. Option D is wrong because if the share were configured as read-only, Bob would not be able to open the file for writing at all, but the exhibit shows Bob is attempting to save changes, implying the share allows writes in general; the issue is a specific lock held by Alice.

351
MCQeasy

After modifying /etc/samba/smb.conf, an administrator runs a command to validate the configuration. Which command is correct?

A.testparm
B.smbpasswd
C.smbcontrol
D.samba-tool
AnswerA

testparm validates the smb.conf file for syntax errors.

Why this answer

The correct command is `testparm`, which is specifically designed to validate the syntax and configuration of the `/etc/samba/smb.conf` file. It checks for errors in parameters, missing sections, and logical inconsistencies without restarting the Samba services, making it the standard tool for configuration verification.

Exam trap

The trap here is that candidates may confuse `testparm` with `smbcontrol reload-config` or `samba-tool`, thinking that reloading or using a domain tool also validates the configuration, but only `testparm` performs a dedicated syntax check without affecting running services.

How to eliminate wrong answers

Option B is wrong because `smbpasswd` is used to manage Samba user passwords (encrypting and storing them in the `smbpasswd` file or LDAP), not to validate the `smb.conf` configuration. Option C is wrong because `smbcontrol` is used to send control messages to running Samba daemons (e.g., reload configuration, shutdown), but it does not perform a syntax or validity check of the configuration file itself. Option D is wrong because `samba-tool` is a comprehensive administration tool for Samba 4 Active Directory domains (managing users, DNS, replication), not a utility for validating the basic `smb.conf` file syntax.

352
MCQhard

A company runs an Apache web server (port 80) and an SSH server (port 22) for remote administration. The system administrator notices that the server has become sluggish and network traffic has increased significantly. Checking /var/log/auth.log reveals hundreds of failed SSH authentication attempts per minute from diverse IP addresses targeting the 'admin' user. The administrator wants to mitigate this brute-force attack with minimal impact on legitimate users. Which course of action is most effective?

A.Change the SSH port to a non-standard port number.
B.Disable password authentication for SSH and use key-based authentication only.
C.Add the offending IP addresses to /etc/hosts.deny manually.
D.Install and configure fail2ban to block IP addresses after 5 failed SSH attempts within 10 minutes.
AnswerD

fail2ban dynamically blocks offending IPs, reducing attack surface while allowing legitimate users who might mistype credentials.

Why this answer

Install fail2ban to automatically block IPs after repeated failures, preventing brute-force without disrupting legitimate users who might retry.

353
MCQmedium

Given the smb.conf exhibit, which share(s) allow write access to user 'alice' who is a member of the 'staff' group?

A.share1 and share3
B.share3 only
C.share1 only
D.share2 only
AnswerC

share1 has read only = no and alice is in valid users. share2 is read only. share3 also allows write but is guest-oriented; however, alice as authenticated user can also write, but the question likely expects share1.

Why this answer

Option C is correct because in the smb.conf exhibit, share1 has 'write list = @staff' which grants write access to all members of the staff group, including user alice. share2 has 'read only = yes' and no write list, so it is read-only for everyone. share3 has 'valid users = bob' and 'write list = bob', so only bob can write; alice is not listed and is not in the bob group, so she has no write access.

Exam trap

The trap here is that candidates may assume that being a member of the 'staff' group grants write access to all shares, but they must check each share's specific 'write list' and 'valid users' directives, as share3 explicitly restricts access to bob only.

How to eliminate wrong answers

Option A is wrong because share3 does not allow write access to alice; share3's 'valid users = bob' and 'write list = bob' restrict access exclusively to bob, and alice is not bob. Option B is wrong because share3 only does not allow write access to alice for the same reason. Option D is wrong because share2 only has 'read only = yes' with no write list, making it read-only for all users, including alice.

354
MCQeasy

A system administrator needs to include a custom kernel module in the initramfs to support a root filesystem on a USB device. Which command should be used to rebuild the initramfs with the updated kernel?

A.dracut
B.update-initramfs
C.mkinitrd
D.grub-mkconfig
AnswerA

dracut is the standard tool for creating initramfs images on many distributions.

Why this answer

Dracut is the correct tool for rebuilding the initramfs on modern Red Hat-based distributions (e.g., RHEL, CentOS, Fedora). It automatically detects and includes kernel modules required for the root filesystem, including those for USB storage devices, and regenerates the initramfs image with the updated kernel module.

Exam trap

The trap here is that candidates often confuse distribution-specific tools, assuming update-initramfs (Debian) or mkinitrd (legacy) are universally applicable, while the question implicitly targets a Red Hat-based environment where dracut is the standard.

How to eliminate wrong answers

Option B is wrong because update-initramfs is the tool used on Debian-based distributions (e.g., Ubuntu), not on Red Hat-based systems where dracut is standard. Option C is wrong because mkinitrd is a legacy tool that has been deprecated in favor of dracut on modern distributions; it does not handle custom kernel modules as reliably. Option D is wrong because grub-mkconfig is used to regenerate the GRUB bootloader configuration file (grub.cfg), not to rebuild the initramfs.

355
Matchingmedium

Match each LVM term to its definition.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

A storage device or partition used by LVM

A pool of physical volumes that can be allocated to logical volumes

A virtual block device created from a volume group

The smallest allocatable unit in a physical volume

Maps to a physical extent in a logical volume

Why these pairings

LVM uses these terms to manage disk storage.

356
MCQhard

To implement 802.1X port-based authentication on a Linux network interface, which combination of software components is typically required when the Linux system acts as the supplicant?

A.wpa_supplicant and hostapd
B.hostapd and freeradius
C.wpa_supplicant and sssd
D.freeradius and wpa_supplicant
AnswerA

wpa_supplicant handles the supplicant role; hostapd handles the authenticator role. Together they can implement 802.1X on a Linux box.

Why this answer

When a Linux system acts as an 802.1X supplicant, it must authenticate to a network switch (authenticator) using EAP over LAN (EAPoL). wpa_supplicant is the standard Linux supplicant that handles EAP methods and key negotiation, while hostapd is not needed on the supplicant side—it is an authenticator/access point daemon. The correct combination for a supplicant is wpa_supplicant alone; hostapd is irrelevant here, making option A incorrect despite being marked as correct in the answer key.

Exam trap

The trap here is that candidates confuse the roles of wpa_supplicant (supplicant) and hostapd (authenticator/AP), assuming both are needed for 802.1X on the client side, when in fact only wpa_supplicant is required for a supplicant.

How to eliminate wrong answers

Option A is wrong because hostapd is an authenticator/access point daemon, not a supplicant component; a Linux supplicant only requires wpa_supplicant. Option B is wrong because hostapd and FreeRADIUS are both used on the authenticator/authentication server side, not on the supplicant. Option C is wrong because sssd is a system security services daemon for identity management (e.g., LDAP, Kerberos), not an 802.1X supplicant.

Option D is wrong because FreeRADIUS is a RADIUS authentication server, not a supplicant; wpa_supplicant alone is the supplicant, and FreeRADIUS would be on the server side.

357
MCQeasy

A small office uses a Linux server running Samba to share documents. The share is accessible but very slow, especially when writing large files. The network is 1 Gbps, and disk performance is fine. The smb.conf has default settings. Which change is most likely to improve write performance?

A.Set 'write cache size = 262144'.
B.Set 'strict sync = yes'.
C.Set 'use sendfile = yes'.
D.Set 'socket options = TCP_NODELAY IPTOS_LOWDELAY'.
AnswerA

This enables write caching, improving write throughput.

Why this answer

The 'write cache size' option enables a per-file write cache in Samba that buffers write operations before committing them to disk. With default settings, Samba may perform synchronous writes for each chunk, causing severe slowdowns on large file transfers. Setting a write cache size (e.g., 262144 bytes) allows Samba to aggregate writes, dramatically improving throughput on a fast network with adequate disk performance.

Exam trap

The trap here is that candidates often confuse 'write cache size' with client-side caching or misattribute performance issues to network tuning, overlooking that Samba's default write behavior is synchronous and unbuffered.

How to eliminate wrong answers

Option B is wrong because 'strict sync = yes' forces Samba to honor synchronous write requests from clients (e.g., via O_SYNC), which actually degrades write performance by ensuring every write is flushed to disk immediately. Option C is wrong because 'use sendfile = yes' optimizes read operations by allowing zero-copy data transfer from disk to network, but it does not affect write performance. Option D is wrong because 'socket options = TCP_NODELAY IPTOS_LOWDELAY' reduces latency for small packets and prioritizes traffic, but it does not address the buffering of write data; it may even hurt bulk throughput by disabling Nagle's algorithm.

358
MCQeasy

A system administrator wants to combine two 1 Gbps Ethernet interfaces into a single logical bonded interface to increase throughput and provide redundancy. Which mode of bonding will provide both load balancing and fault tolerance without requiring switch configuration?

A.mode 6 (balance-alb)
B.mode 2 (balance-xor)
C.mode 1 (active-backup)
D.mode 0 (balance-rr)
AnswerA

Adaptive load balancing (balance-alb) provides load balancing and fault tolerance without switch configuration.

Why this answer

Mode 6 (balance-alb) provides adaptive load balancing (ALB) that distributes outgoing traffic based on the MAC address of the destination, and it also handles incoming traffic by ARP negotiation, allowing both load balancing and fault tolerance without any special switch configuration. Unlike other modes that require switch support (e.g., IEEE 802.3ad LACP for mode 4) or specific hashing policies, balance-alb works entirely at the host level, making it the only correct choice for this scenario.

Exam trap

The trap here is that candidates often assume mode 0 (balance-rr) or mode 2 (balance-xor) can provide load balancing without switch configuration, but they overlook the critical requirement for switch-side link aggregation support to avoid packet misordering or MAC flapping.

How to eliminate wrong answers

Option B (mode 2, balance-xor) is wrong because it requires the switch to be configured with a static link aggregation group (LAG) to avoid MAC flapping and ensure proper frame distribution; without switch support, it can cause network instability. Option C (mode 1, active-backup) is wrong because it provides fault tolerance but does not increase throughput—only one interface is active at a time, so it offers no load balancing. Option D (mode 0, balance-rr) is wrong because it transmits packets in round-robin order across all interfaces, which can cause out-of-order delivery and requires the switch to support trunking (e.g., static LAG) to prevent packet reordering and duplication; without switch configuration, it will not work correctly.

359
MCQmedium

A network administrator notices that a Linux router with two network interfaces is not forwarding packets between them, despite having IP forwarding enabled in the kernel. The administrator has verified that the firewall rules are not blocking the traffic. What is the most likely cause of the issue?

A.The ARP cache on the router is stale.
B.The default gateway on the router is not set correctly.
C.The iptables FORWARD chain policy is set to DROP.
D.The routing table does not contain a route for the destination network.
AnswerB

If the router does not have a correct default gateway, it may not know where to send packets destined for other networks.

Why this answer

Option B is correct because even with IP forwarding enabled, a Linux router must have a route in its routing table for the destination network to know which interface to forward packets out of. Without a correct default gateway or a specific route, the router will drop packets for unknown destinations, as it cannot determine the next hop. The administrator verified that firewall rules are not blocking traffic, so the issue is a missing or incorrect route.

Exam trap

The trap here is that candidates often assume IP forwarding alone is sufficient for routing, overlooking that the kernel still needs a routing table entry to determine the next hop, and they may confuse a missing default gateway with a firewall or ARP issue.

How to eliminate wrong answers

Option A is wrong because a stale ARP cache would cause packet loss to a specific neighbor, not a complete failure to forward packets between interfaces; ARP entries are dynamically refreshed and do not prevent forwarding entirely. Option C is wrong because the administrator explicitly verified that firewall rules are not blocking traffic, and the iptables FORWARD chain policy being set to DROP would be a firewall rule issue, contradicting the given condition. Option D is wrong because it is essentially the same as the correct answer but phrased as a cause rather than the solution; the routing table lacking a route for the destination network is the exact problem, and setting a default gateway is the typical fix, making B the most direct and likely cause.

360
MCQeasy

A user's SSH public key has been added to '~/.ssh/authorized_keys' on a remote server, but the user is still prompted for a password. Which file permission is most likely causing the issue?

A.0660
B.0644
C.0444
D.0600
AnswerA

Group writable; SSH rejects group-writable authorized_keys.

Why this answer

Option D is correct because SSH requires that authorized_keys not be group-writable. 0660 grants group write, causing key authentication to be ignored. Options A, B, C do not have group writability.

361
Multi-Selectmedium

Which THREE of the following parameters can improve Samba file transfer performance under heavy load?

Select 3 answers
A.strict allocate = Yes
B.oplocks = Yes
C.write raw = Yes
D.socket options = TCP_NODELAY IPTOS_LOWDELAY
E.read raw = Yes
AnswersC, D, E

Enables large write requests for improved throughput.

Why this answer

Option C is correct because enabling 'write raw = Yes' allows Samba to use the raw write SMB protocol, which sends larger write requests without waiting for intermediate acknowledgments, reducing protocol overhead and improving throughput under heavy load. This setting is particularly effective when combined with other performance tuning parameters.

Exam trap

The trap here is that candidates often confuse 'oplocks' or 'strict allocate' as performance boosters for raw throughput, when in fact they serve different purposes (caching and space allocation) and can even degrade performance under heavy load.

362
MCQeasy

A network administrator wants to improve network performance by bonding two gigabit Ethernet interfaces (eth0 and eth1) on a Linux server. The switch supports IEEE 802.3ad (LACP). Which bonding mode should be used to provide both load balancing and fault tolerance?

A.active-backup (mode 1)
B.balance-xor (mode 2)
C.balance-rr (mode 0)
D.802.3ad (mode 4)
E.balance-tlb (mode 5)
AnswerD

Standard LACP mode; dynamically negotiates aggregation with switch, providing both load balancing and fault tolerance.

Why this answer

Option D (802.3ad mode 4) is correct because it uses the IEEE 802.3ad Link Aggregation Control Protocol (LACP) to negotiate with the switch, providing both load balancing (based on a configurable hash policy) and fault tolerance (if a link fails, traffic is redistributed among the remaining links). This mode is specifically designed for switches that support LACP, as stated in the question.

Exam trap

The trap here is that candidates often confuse 'load balancing' with 'round-robin' (mode 0) or 'XOR' (mode 2), but the key requirement for LACP support and both load balancing and fault tolerance points specifically to 802.3ad mode 4.

How to eliminate wrong answers

Option A (active-backup mode 1) is wrong because it provides fault tolerance but no load balancing—only one interface is active at a time. Option B (balance-xor mode 2) is wrong because it uses a static XOR hash for load balancing but does not use LACP, so it cannot negotiate with the switch and may cause misconfiguration if the switch expects LACP. Option C (balance-rr mode 0) is wrong because it transmits packets in round-robin order across all interfaces, which can cause out-of-order delivery and is not compatible with LACP negotiation.

Option E (balance-tlb mode 5) is wrong because it provides adaptive transmit load balancing but does not use LACP and requires the switch to support a specific mode (usually not 802.3ad), and it does not handle fault tolerance as robustly as mode 4.

363
MCQeasy

Refer to the exhibit. Which kernel parameter is responsible for reducing the amount of kernel messages displayed on the console?

A.ro
B.splash
C.quiet
D.BOOT_IMAGE
AnswerC

The 'quiet' parameter suppresses most kernel messages on the console.

Why this answer

The `quiet` kernel parameter suppresses most kernel log messages from being printed to the console during boot, reducing console output to only critical or error-level messages. This is controlled by the kernel's console log level, which `quiet` effectively lowers to KERN_WARNING (4) or higher, filtering out informational and debug messages.

Exam trap

The trap here is that candidates confuse `quiet` with `splash`, thinking both suppress messages, but `splash` only hides them visually while the kernel still generates the same output, whereas `quiet` actually reduces the kernel's console log level.

How to eliminate wrong answers

Option A is wrong because `ro` is a kernel parameter that mounts the root filesystem as read-only during early boot, not related to console message filtering. Option B is wrong because `splash` is a boot parameter used to enable a graphical splash screen (e.g., Plymouth) that hides boot messages visually, but it does not reduce the kernel's actual message output; it merely overlays a graphic. Option D is wrong because `BOOT_IMAGE` is a parameter that records the path or label of the kernel image used for booting, set by the bootloader (e.g., GRUB), and has no effect on kernel message verbosity.

364
MCQhard

A Linux server exports a directory /data via NFS to a client. The client mounts it with 'mount -t nfs server:/data /mnt/data'. Write operations from the client fail with 'Permission denied' on some files. The server's /etc/exports contains: /data 192.168.1.0/24(rw,root_squash). What is the most likely issue?

A.NFS version mismatch
B.root_squash maps root to nobody
C.Client mount option 'noexec'
D.Missing 'rw' option in /etc/exports
AnswerB

Root on client is mapped to nobody, lacking ownership permissions.

Why this answer

The 'root_squash' option in /etc/exports maps the UID 0 (root) on the client to the 'nobody' user (typically UID 65534) on the server. When a client user with UID 0 attempts to write to files owned by other users or with restrictive permissions, the server sees the request as coming from 'nobody', which lacks write access, resulting in 'Permission denied'. This is the most likely cause because the client mount command does not specify 'no_root_squash', and the server's export explicitly enables root squashing.

Exam trap

The trap here is that candidates often confuse 'root_squash' with a missing 'rw' option or assume a version mismatch, when in fact the permission error on writes by root is the classic symptom of root squashing being active.

How to eliminate wrong answers

Option A is wrong because NFS version mismatch would typically cause mount failures or protocol errors, not 'Permission denied' on write operations to specific files. Option C is wrong because 'noexec' prevents execution of binaries, not file writes; it is a client-side mount option that does not affect write permissions. Option D is wrong because the /etc/exports line already includes 'rw', so the 'rw' option is present and not missing.

365
MCQmedium

A filesystem check on an XFS filesystem reports corruption. What is the recommended way to repair it?

A.Run xfs_check on the mounted filesystem.
B.Run xfs_repair on the unmounted filesystem.
C.Run xfs_repair -n first, then unmount and repair.
D.Run fsck -t xfs on the mounted filesystem.
AnswerC

Best practice: run in no modify mode before actual repair.

Why this answer

Option C is correct because the recommended procedure for repairing a corrupted XFS filesystem is to first run `xfs_repair -n` in dry-run mode to assess the damage without making changes, then unmount the filesystem and run `xfs_repair` to perform the actual repair. XFS does not support online repair; the filesystem must be unmounted for write operations to avoid further corruption.

Exam trap

The trap here is that candidates may think `xfs_repair` can be run safely on a mounted filesystem (like `fsck` on ext4 with `-f`), or that `xfs_check` is still a valid repair tool, when in fact XFS requires unmounted repair and the dry-run step is a critical safety measure.

How to eliminate wrong answers

Option A is wrong because `xfs_check` is a deprecated tool that only performs read-only consistency checks and cannot repair corruption; moreover, running it on a mounted filesystem can cause false positives or data corruption due to ongoing writes. Option B is wrong because while `xfs_repair` must be run on an unmounted filesystem, skipping the `-n` dry-run step is risky as it may apply repairs without first verifying the extent of corruption, potentially causing irreversible data loss. Option D is wrong because `fsck -t xfs` is not a valid command for XFS; XFS uses its own `xfs_repair` tool, and running any repair tool on a mounted filesystem is unsafe and can lead to catastrophic filesystem damage.

366
MCQeasy

Given the exhibited routing table and rules, what will happen to a packet originating from IP 192.168.10.50 destined to 8.8.8.8?

A.The packet is dropped because no matching route exists.
B.The packet is forwarded via eth1 because of the 0.0.0.0/1 route.
C.The packet is forwarded via eth1 to 10.0.0.1.
D.The packet is forwarded via eth0 to the default gateway in the main table.
AnswerC

Table 100 has a default route via 10.0.0.1 for this source.

Why this answer

The routing table shows a default route of 0.0.0.0/0 via eth0, but also includes a more specific route 0.0.0.0/1 via eth1 with next-hop 10.0.0.1. Since the destination 8.8.8.8 falls within the 0.0.0.0/1 prefix (which covers 0.0.0.0 to 127.255.255.255), the kernel performs a longest prefix match and selects the /1 route over the /0 default, forwarding the packet via eth1 to 10.0.0.1.

Exam trap

The trap here is that candidates assume 0.0.0.0/0 is the only default route and ignore the more specific 0.0.0.0/1 route, leading them to incorrectly select the default gateway in the main table instead of recognizing the longer prefix match.

How to eliminate wrong answers

Option A is wrong because a matching route does exist: the 0.0.0.0/1 route matches the destination 8.8.8.8, so the packet is not dropped. Option B is wrong because it states the packet is forwarded via eth1 due to the 0.0.0.0/1 route, but omits the next-hop IP 10.0.0.1, which is essential for correct forwarding; the answer must include the next-hop. Option D is wrong because the default route 0.0.0.0/0 via eth0 is not used; the more specific 0.0.0.0/1 route takes precedence due to longest prefix match.

367
Multi-Selecteasy

A Linux server provides file sharing to Windows clients via Samba. The administrator notices that Windows clients are unable to resolve the NetBIOS name of the server. Which two services are essential for NetBIOS name resolution? (Choose two.)

Select 2 answers
A.DNS
B.nmbd
C.DHCP
D.winbindd
E.smbd
AnswersB, E

nmbd handles NetBIOS name services (NBNS).

Why this answer

B is correct because nmbd is the Samba NetBIOS name server daemon that handles NetBIOS name resolution by listening for and responding to NetBIOS name queries on UDP ports 137 and 138. Without nmbd running, Windows clients cannot resolve the server's NetBIOS name to an IP address, which is required for SMB/CIFS communication over NetBIOS.

Exam trap

The trap here is that candidates often confuse smbd (the file sharing daemon) with nmbd (the name resolution daemon), assuming smbd alone is sufficient for NetBIOS name resolution, or they incorrectly think DNS or DHCP are involved in NetBIOS name resolution.

368
MCQmedium

An application running under AppArmor is failing to write to its log directory. The AppArmor profile for the application includes the line '/var/log/myapp/ r,' but not '/var/log/myapp/** rw,'. What is the most likely issue?

A.The directory itself is not created, and AppArmor prevents creation.
B.The 'r' permission only allows read, but write is required.
C.The AppArmor service is not running, so the profile is not enforced.
D.The profile needs 'ix' instead of 'r' for execute rights.
AnswerB

The profile grants read access to the directory, but write access to files requires rw permissions on the directory contents.

Why this answer

Option C is correct because the trailing comma allows writing to the directory itself but not its contents. Option A is wrong because 'r' allows read, but the profile lacks write. Option B is wrong because the profile is not enforcing? Possibly, but the issue is specific to the log directory.

Option D is wrong because the profile does allow access to the directory, just not the files inside.

369
Multi-Selecthard

Which TWO conditions are most likely to cause 'NT_STATUS_ACCESS_DENIED' when accessing a Samba share?

Select 2 answers
A.Lmhosts file misconfiguration
B.SMB protocol version mismatch
C.Linux filesystem permissions disallow write
D.Share permissions set to read-only for the user
E.Windows firewall blocking port 445
AnswersC, D

Denies write access at the filesystem level.

Why this answer

Option C is correct because Samba ultimately relies on the underlying Linux filesystem permissions to enforce write access. Even if Samba share permissions allow writing, if the Linux user or group mapped to the Samba session lacks write permission on the file or directory (e.g., due to chmod or ACL settings), the kernel will deny the write operation, resulting in NT_STATUS_ACCESS_DENIED. This is a common misconfiguration where administrators set share-level permissions correctly but forget to adjust the filesystem ACLs.

Exam trap

The trap here is that candidates often assume Samba's share-level permissions are the sole gatekeeper, forgetting that Linux filesystem permissions are enforced independently and can override share-level settings.

370
Matchingmedium

Match each Linux filesystem feature to its description.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Journaling filesystem with extents and delayed allocation

High-performance 64-bit journaling filesystem

Copy-on-write filesystem with snapshots and compression

Advanced filesystem with volume management and checksumming

Network filesystem for sharing directories over a network

Why these pairings

These are common Linux filesystems and their key characteristics.

371
MCQeasy

During boot, the kernel outputs a message indicating that a required device driver is not found. Which command can be used to rebuild the initramfs to include the missing driver?

A.mkinitrd
B.grub-mkconfig
C.mkinitcpio
D.dracut
AnswerD

dracut is the standard tool for building initramfs on many distributions.

Why this answer

Dracut is the standard tool for building initramfs images on modern Red Hat-based distributions (RHEL, CentOS, Fedora). When a required kernel driver is missing during boot, you can use `dracut --force` to rebuild the initramfs, which will automatically include the currently loaded kernel modules and any specified in configuration files. This ensures the missing driver is available early in the boot process.

Exam trap

The trap here is that candidates confuse distribution-specific tools (mkinitcpio for Arch, mkinitrd for old Red Hat) with the cross-distribution standard dracut, which is the correct answer for LPIC-2's focus on modern enterprise Linux.

How to eliminate wrong answers

Option A is wrong because `mkinitrd` is a legacy tool used primarily on older Red Hat systems (pre-RHEL 6) and has been replaced by dracut; it does not handle modern initramfs generation with the same flexibility. Option B is wrong because `grub-mkconfig` is used to regenerate the GRUB bootloader configuration file (grub.cfg), not to rebuild the initramfs image. Option C is wrong because `mkinitcpio` is the initramfs creation tool for Arch Linux, not for the distribution-agnostic LPIC-2 context where dracut is the standard answer.

372
MCQeasy

A small business has a single Linux server that serves as both a file server (Samba) and a web server (Apache). The server is directly connected to the internet. Recently, there have been numerous brute-force SSH login attempts. The administrator wants to implement a simple solution to block IP addresses that have more than 5 failed SSH attempts in 10 minutes. The server runs Ubuntu 20.04. Which tool should the administrator use to achieve this with minimal configuration?

A.Enable UFW and set default deny incoming, allow SSH from specific IPs.
B.Install and configure Fail2ban to monitor /var/log/auth.log.
C.Set up TCP wrappers with /etc/hosts.deny for SSH.
D.Use port knocking to hide SSH port until a specific sequence is sent.
AnswerB

Fail2ban can ban IPs after a configurable number of failed attempts.

Why this answer

Option B is correct. Fail2ban is designed to monitor logs and ban IPs with excessive failures. Option A (TCP Wrappers) only controls access based on hostname/IP but does not handle dynamic banning based on failures.

Option C (UFW) is a frontend to iptables but does not have built-in failure tracking. Option D (knockd) implements port knocking, which is a different concept.

373
MCQhard

A Samba server is configured with 'vfs objects = recycle' to implement a recycle bin. After some time, users notice that deleted files are not appearing in the recycle bin. Which parameter is likely misconfigured?

A.recycle:maxsize
B.recycle:keeptree
C.recycle:repository
D.recycle:versions
AnswerC

Correct; if the repository path is invalid or missing, files are not moved.

Why this answer

The `vfs objects = recycle` module requires the `recycle:repository` parameter to specify the directory where deleted files should be moved. If this parameter is missing or misconfigured, the recycle bin will not function, and deleted files will be permanently removed instead of being stored in the recycle repository.

Exam trap

The trap here is that candidates often confuse the purpose of `recycle:maxsize` or `recycle:versions` with the core requirement of defining the repository path, leading them to overlook the mandatory `recycle:repository` parameter.

How to eliminate wrong answers

Option A is wrong because `recycle:maxsize` limits the maximum size of files that can be recycled, but if it is misconfigured, files exceeding the limit would be permanently deleted, not that no files appear at all. Option B is wrong because `recycle:keeptree` preserves the directory structure within the recycle repository; its misconfiguration would affect the organization of recycled files, not their absence. Option D is wrong because `recycle:versions` controls whether to keep multiple versions of files with the same name; misconfiguration would affect versioning behavior, not the complete failure to recycle files.

374
MCQmedium

A Linux server is configured as a DNS resolver with BIND. Users report that they cannot resolve external hostnames. The server can resolve internal names. Which of the following is the most likely cause?

A.The server's /etc/resolv.conf points to itself.
B.The forwarders directive is missing from named.conf.
C.The firewall is blocking UDP port 53 outgoing from the server.
D.The named daemon is not running.
AnswerC

If outgoing DNS queries are blocked, external resolution fails, but internal zones can still be answered from local authoritative data.

Why this answer

The server can resolve internal names, indicating that the local BIND service is functioning correctly for authoritative zones. However, external resolution fails, which typically means the server cannot reach upstream DNS servers. Outgoing UDP port 53 is required for DNS queries to external resolvers; if the firewall blocks this traffic, the server cannot forward queries to the internet, while internal queries (often served from local zones) remain unaffected.

Exam trap

The trap here is that candidates assume missing forwarders (Option B) is the cause, but BIND can resolve externally via root hints without forwarders, so the real issue is a firewall blocking outbound UDP 53, which selectively breaks external resolution while internal resolution remains intact.

How to eliminate wrong answers

Option A is wrong because if /etc/resolv.conf points to itself (127.0.0.1 or local IP), the server would still be able to resolve internal names via its own named service, and external resolution would work if forwarding is configured; this would not cause a selective failure. Option B is wrong because the forwarders directive is optional; BIND can perform iterative resolution from the root hints without forwarders, so missing forwarders would not prevent external resolution unless the server is configured as a forwarder-only resolver. Option D is wrong because if named were not running, the server would fail to resolve both internal and external names, not just external ones.

375
MCQeasy

An administrator wants to restrict access to a service using PAM. Which file order determines the authentication flow for a service?

A./etc/pam.d/<service-name>
B./etc/nsswitch.conf
C./etc/security/access.conf
D./etc/pam.conf
AnswerA

Each service has its own PAM configuration file in /etc/pam.d/.

Why this answer

PAM (Pluggable Authentication Modules) uses per-service configuration files located in /etc/pam.d/ to define the authentication flow. When a service (e.g., sshd, login) calls PAM, it reads the file named after the service (e.g., /etc/pam.d/sshd) to determine the order of modules (auth, account, password, session) and their control flags (required, requisite, sufficient, optional). This file-based approach allows fine-grained, service-specific authentication policies.

Exam trap

The trap here is that candidates confuse the PAM service configuration directory (/etc/pam.d/) with the legacy monolithic /etc/pam.conf or with unrelated system configuration files like /etc/nsswitch.conf or /etc/security/access.conf, which serve entirely different purposes in the authentication or name resolution pipeline.

How to eliminate wrong answers

Option B is wrong because /etc/nsswitch.conf controls the order of name resolution (e.g., hosts, passwd, group) via NSS (Name Service Switch), not PAM authentication flow. Option C is wrong because /etc/security/access.conf is a configuration file for the pam_access module, which restricts login access based on user/group/host, but it does not define the overall authentication flow for a service. Option D is wrong because /etc/pam.conf is a legacy monolithic configuration file for PAM on some older systems (e.g., Solaris), but on modern Linux systems, the per-service files in /etc/pam.d/ take precedence and are the standard; /etc/pam.conf is not used by default and would not be the primary file for a specific service.

Page 4

Page 5 of 7

Page 6

All pages