CCNA File Sharing and Samba Questions

75 of 95 questions · Page 1/2 · File Sharing and Samba · Answers revealed

1
MCQeasy

A Samba share is configured with 'guest ok = yes'. What must also be configured to allow guest access?

A.security = share
B.map to guest = Bad User
C.force user = nobody
D.guest only = Yes
AnswerB

This parameter maps authentication failures to the guest account, enabling guest access.

Why this answer

When 'guest ok = yes' is set on a Samba share, the server still requires a mechanism to map unauthenticated or failed authentication attempts to the guest account. The 'map to guest = Bad User' directive tells Samba to treat any connection attempt with an invalid username as a guest connection, which is necessary for guest access to function. Without this mapping, clients presenting a non-existent or incorrect username will be rejected rather than being granted guest privileges.

Exam trap

The trap here is that candidates often assume 'guest ok = yes' alone is sufficient for guest access, overlooking the mandatory 'map to guest' directive that actually enables the mapping of unknown users to the guest account.

How to eliminate wrong answers

Option A is wrong because 'security = share' is a deprecated Samba security mode that was removed in Samba 4.x; it does not control guest mapping and is not required for guest access. Option C is wrong because 'force user = nobody' forces all connections to run as the 'nobody' user, but it does not enable guest access—it only overrides the effective user for file operations after authentication. Option D is wrong because 'guest only = Yes' forces all connections to be treated as guest, but it still requires 'map to guest' to be set appropriately; without it, Samba will reject connections that do not match a valid user.

2
MCQeasy

An administrator has configured Samba as a domain member for an Active Directory environment. For user authentication via winbind, which daemon must be running?

A.smbd
B.samba
C.winbindd
D.nmbd
AnswerC

winbindd is required for user/group resolution from AD.

Why this answer

In a Samba domain member configuration for Active Directory, the winbindd daemon is responsible for resolving user and group information from the Windows domain and providing authentication services via the Winbind protocol. It communicates with the Active Directory domain controller using DCE/RPC and LDAP to map Windows SIDs to Unix UIDs/GIDs, enabling seamless user authentication. Without winbindd running, winbind-based authentication (e.g., via PAM or nsswitch) will fail, even if smbd and nmbd are active.

Exam trap

The trap here is that candidates often confuse the Samba suite daemons, assuming smbd handles all authentication tasks, but winbindd is the specific daemon required for AD domain member authentication and identity mapping.

How to eliminate wrong answers

Option A is wrong because smbd handles file and printer sharing (SMB/CIFS protocol) and user authentication via its own password backend, but it does not perform the domain member winbind resolution; it relies on winbindd for that. Option B is wrong because 'samba' is not a daemon but the overall suite name; the actual daemon for winbind functionality is winbindd. Option D is wrong because nmbd provides NetBIOS name service and browsing (NetBIOS over TCP/IP), which is unrelated to Active Directory user authentication via winbind.

3
MCQmedium

An administrator sets up a Samba server with 'security = user'. Users are stored in the local smbpasswd file. After changing a user's Unix password, the user cannot access Samba shares. What should the administrator do?

A.Add the user to the 'valid users' list.
B.Run 'smbpasswd username' to set the SMB password.
C.Restart the smbd service.
D.Run 'pdbedit -u username' to modify the password.
AnswerB

Correct; SMB passwords are independent of Unix passwords and must be set explicitly.

Why this answer

When Samba is configured with 'security = user', each user must have a separate SMB password stored in the smbpasswd file (or the tdbsam backend). Changing the Unix password does not automatically update the SMB password. Running 'smbpasswd username' sets the SMB password for that user, allowing them to authenticate to Samba shares.

Exam trap

The trap here is that candidates assume changing the Unix password automatically updates the Samba password, or that restarting the service will synchronize them, when in fact they are stored in separate databases and must be updated independently.

How to eliminate wrong answers

Option A is wrong because the 'valid users' list controls which users are allowed to access a share, but it does not address the password mismatch; the user is already valid but cannot authenticate. Option C is wrong because restarting smbd does not change or synchronize passwords; it only reloads configuration and state. Option D is wrong because 'pdbedit -u username' is used to display or modify user database entries (e.g., account flags), not to set the password; the correct command to set the password is 'smbpasswd'.

4
MCQeasy

After modifying /etc/samba/smb.conf, which command should be used to verify the syntax before restarting the Samba service?

A.nmblookup
B.testparm
C.smbclient
D.smbstatus
AnswerB

testparm validates the smb.conf syntax and prints the effective configuration.

Why this answer

The `testparm` command is specifically designed to parse and validate the syntax of the Samba configuration file `/etc/samba/smb.conf`. It checks for errors such as misspelled parameters, invalid values, or structural issues without requiring the Samba services to be running. This makes it the correct tool to verify syntax before restarting Samba.

Exam trap

The trap here is that candidates may confuse `testparm` with diagnostic tools like `smbstatus` or `nmblookup`, assuming any Samba-related command can verify configuration, when only `testparm` is designed for that specific purpose.

How to eliminate wrong answers

Option A is wrong because `nmblookup` is used for NetBIOS name resolution queries against WINS servers or broadcasts, not for checking Samba configuration syntax. Option C is wrong because `smbclient` is an FTP-like client for accessing SMB/CIFS shares on remote servers; it does not parse or validate the local smb.conf file. Option D is wrong because `smbstatus` reports current Samba connections, open files, and locked files, but it does not perform any configuration syntax checking.

5
MCQeasy

A Samba share is configured with 'writable = no'. What does this mean?

A.The share is read-only.
B.Users can read and write.
C.Only root can write.
D.Write access depends on Unix permissions.
AnswerA

Correct; write access is denied.

Why this answer

When a Samba share is configured with 'writable = no', it explicitly denies write access to the share at the Samba level, regardless of underlying Unix file permissions. This directive overrides any other settings (like 'write list') and makes the share read-only for all clients connecting via SMB/CIFS protocols. The correct interpretation is that the share is read-only, which matches option A.

Exam trap

The trap here is that candidates often confuse Samba-level directives with Unix file permissions, assuming that if Unix permissions allow write, the share must be writable, but Samba's 'writable = no' is a higher-priority setting that overrides Unix permissions at the protocol level.

How to eliminate wrong answers

Option B is wrong because 'writable = no' explicitly prevents writing, so users cannot both read and write. Option C is wrong because 'writable = no' applies to all users, including root; root's write access is not special in Samba unless overridden by 'admin users' or 'force user' directives, but the default behavior denies write to everyone. Option D is wrong because 'writable = no' is a Samba-level setting that takes precedence over Unix permissions; even if Unix permissions allow write, Samba will deny it at the protocol level.

6
MCQhard

A Samba share is used by macOS clients. File names with special characters (e.g., ©) appear garbled. Which parameter should be added to the share configuration?

A.vfs objects = catia
B.dos charset = CP850
C.mangled names = yes
D.fruit:aapl = yes
AnswerD

Correct; enables Apple Filing Protocol extensions for proper file name handling.

Why this answer

Option D is correct because the `fruit:aapl = yes` parameter enables the Samba VFS module for macOS (Apple Filing Protocol) compatibility, which handles special characters like © by mapping them to Unicode-compatible representations that macOS clients expect. Without this, macOS clients may misinterpret or garble filenames with non-ASCII characters when accessing Samba shares.

Exam trap

The trap here is that candidates often confuse character encoding issues with filesystem mangling or DOS code pages, but the real solution for macOS clients is the fruit VFS module's AAPL extension, not legacy charset parameters.

How to eliminate wrong answers

Option A is wrong because `vfs objects = catia` is used for handling special characters in filenames on systems that require CAD/CAM compatibility, not for macOS client character encoding issues. Option B is wrong because `dos charset = CP850` sets the DOS code page for SMB1 protocol, but macOS clients use SMB2/3 and Unicode, so this parameter does not address the garbling of special characters like ©. Option C is wrong because `mangled names = yes` controls how Samba handles long filenames by truncating them, not how special characters are encoded or displayed.

7
MCQmedium

A Samba administrator notices that Windows clients cannot access a shared directory. The share is defined in smb.conf as follows: [shared] path = /srv/samba/shared valid users = @staff browseable = yes read only = no The /srv/samba/shared directory has permissions 755 and is owned by root:staff. Which is the most likely cause of the access issue?

A.The 'valid users' parameter is misspelled
B.The share is defined as browseable but not listed
C.SELinux is blocking access and must be disabled
D.The 'staff' group lacks write permission on the directory
AnswerD

755 gives owner rwx, group r-x, others r-x. Group cannot write.

Why this answer

The 'staff' group lacks write permission on the directory because the directory has permissions 755, which grants write access only to the owner (root). Even though the share is defined as 'read only = no', Samba enforces filesystem-level permissions. Since the 'valid users = @staff' restricts access to members of the staff group, they need write permission on the directory to create or modify files.

The group 'staff' has only read and execute permissions (r-x), so write operations fail.

Exam trap

The trap here is that candidates assume Samba's 'read only = no' alone grants write access, overlooking that Linux filesystem permissions are enforced independently and must also allow write for the effective user or group.

How to eliminate wrong answers

Option A is wrong because 'valid users' is correctly spelled in the configuration; a misspelling would cause a syntax error or be ignored, but the issue here is permissions. Option B is wrong because 'browseable = yes' means the share appears in network browsing lists, and there is no parameter 'listed' in Samba; this option describes a non-existent problem. Option C is wrong because while SELinux can block Samba access, it is not the most likely cause given the explicit permission mismatch; disabling SELinux is an extreme and unnecessary step, and the question asks for the most likely cause.

8
Matchingmedium

Match each RAID level to its description.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Striping without redundancy

Mirroring for redundancy

Striping with distributed parity

Striping with double distributed parity

Mirrored stripes combining RAID 1 and RAID 0

Why these pairings

RAID levels provide different performance and redundancy trade-offs.

9
MCQhard

An administrator needs to configure Samba to use encrypted passwords via LDAP backend. The LDAP server is already set up with the necessary schema. Which passdb backend should be specified in smb.conf?

A.passdb backend = ldap:ldap://ldap.example.com
B.passdb backend = secret:ldap://ldap.example.com
C.passdb backend = sam:ldap://ldap.example.com
D.passdb backend = ldapsam:ldap://ldap.example.com
AnswerD

Correct syntax for LDAP passdb backend.

Why this answer

Option D is correct because the `ldapsam` passdb backend is the Samba module specifically designed to store and authenticate user accounts (including encrypted passwords) against an LDAP directory. The syntax `ldapsam:ldap://ldap.example.com` tells Samba to use the LDAP SAM (Security Account Manager) backend, which maps Samba's account attributes to LDAP entries using the standard Samba LDAP schema (e.g., sambaSamAccount).

Exam trap

The trap here is that candidates may recall that Samba uses 'ldap' as a general term for LDAP integration and incorrectly assume the backend name is simply `ldap`, but the actual required backend name is `ldapsam` to specifically indicate the SAM (Security Account Manager) module for user and password storage.

How to eliminate wrong answers

Option A is wrong because `ldap` is not a valid Samba passdb backend name; Samba uses `ldapsam` (or `ldapsam_compat`) for LDAP-based password storage, not a bare `ldap` keyword. Option B is wrong because `secret` is not a recognized passdb backend; it appears to confuse Samba's `secrets.tdb` file (which stores machine trust passwords) with a user authentication backend. Option C is wrong because `sam` refers to the built-in TDB-based SAM backend (e.g., `tdbsam`), not an LDAP backend; appending an LDAP URI to `sam` is syntactically invalid and would cause Samba to fail to load the backend.

10
Multi-Selecthard

A Samba administrator needs to configure a share that allows only the user 'alice' and the group 'developers' to read and write files. Others should have no access. Which two parameters should be set in the share definition? (Choose two.)

Select 2 answers
A.valid users = alice, @developers
B.invalid users = alice, @developers
C.force user = alice
D.write list = alice, @developers
E.read list = alice, @developers
AnswersA, D

Restricts access to alice and members of the developers group.

Why this answer

The 'valid users' parameter restricts access to only the specified users and groups, so setting 'valid users = alice, @developers' ensures only alice and members of the developers group can connect to the share. The 'write list' parameter grants write access to the listed users and groups, overriding any read-only setting; combining it with 'valid users' ensures that alice and the developers group have both read and write permissions, while all others are denied access entirely.

Exam trap

The trap here is that candidates often confuse 'valid users' with 'write list' or think 'invalid users' can be used to deny everyone except the listed users, but 'invalid users' explicitly blocks those users rather than allowing them, and 'write list' alone does not restrict access to only those users.

11
Multi-Selecteasy

Which TWO commands can be used to query a Samba server for its available shares and workgroups?

Select 2 answers
A.net share
B.smbclient -L
C.smbstatus
D.testparm
E.nmblookup
AnswersB, E

Correct. smbclient -L lists shares on a specified server.

Why this answer

The `smbclient -L` command queries a Samba server for its available shares and workgroups by listing the server's exported resources. The `-L` option specifies the server to query, and it uses the SMB protocol to retrieve the share list and workgroup information from the remote Samba server.

Exam trap

The trap here is that candidates often confuse `smbclient -L` with `smbstatus` or `testparm`, thinking those commands also list remote shares, when in fact they only inspect local server state or configuration.

12
MCQmedium

A company runs a mixed environment with Linux and Windows clients. The Samba server is configured as a domain member for authentication. Users authenticate via Active Directory using winbind. Recently, the IT department implemented a new password policy that requires all users to change passwords every 90 days. After the policy took effect, several users report that they cannot access Samba shares from their Linux clients (using smbclient) even though they can log into their Windows desktops with the same credentials. The error message on Linux is 'session setup failed: NT_STATUS_LOGON_FAILURE'. The administrator runs 'wbinfo -a username%password' and it succeeds. What is the most likely cause?

A.The Samba server's krb5.conf is misconfigured for the new password policy.
B.The users' passwords contain characters that are not being encoded correctly by smbclient.
C.The Samba server's cached credentials for these users have expired and not been refreshed.
D.The Linux clients are using an older version of Samba that does not support the new password policy.
AnswerC

Winbind caches credentials; after a password change, the cache may be stale.

Why this answer

Option C is correct because when a Samba server is a domain member using winbind, it caches user credentials to reduce authentication traffic to the domain controller. After the new 90-day password policy, users changed their passwords on Windows, but the cached credentials on the Samba server were not refreshed. The `wbinfo -a` command succeeds because it contacts the domain controller directly, bypassing the cache, while `smbclient` fails because it uses the stale cached credentials, resulting in NT_STATUS_LOGON_FAILURE.

Exam trap

The trap here is that candidates assume `wbinfo -a` success means the Samba server is fully functional, overlooking that cached credentials can cause failures for tools that rely on the cache, such as `smbclient` or mount.cifs.

How to eliminate wrong answers

Option A is wrong because krb5.conf configuration affects Kerberos authentication, but the error message 'session setup failed: NT_STATUS_LOGON_FAILURE' indicates NTLM or password-based authentication failure, not a Kerberos ticket issue; the new password policy does not directly impact krb5.conf. Option B is wrong because smbclient handles character encoding correctly for standard ASCII and UTF-8 passwords; if encoding were the issue, `wbinfo -a` would also fail, but it succeeds. Option D is wrong because the password policy (90-day expiry) is enforced by Active Directory, not by the Samba client version; older Samba versions still support password changes and authentication as long as they are domain members.

13
MCQmedium

In a Samba domain member server, which file contains the SID to Unix ID mappings?

A./etc/group
B./var/lib/samba/winbindd_idmap.tdb
C./var/lib/samba/private/secrets.tdb
D./etc/passwd
AnswerB

Correct; this TDB file stores SID-to-UID/GID mappings.

Why this answer

B is correct because Samba domain member servers use the winbindd service to map Windows SIDs to Unix UIDs/GIDs, and these mappings are stored in the `winbindd_idmap.tdb` file located in `/var/lib/samba/`. This TDB (Trivial Database) file maintains the persistent ID mapping database, which is essential for translating between the two security identifier systems.

Exam trap

The trap here is that candidates often confuse the `secrets.tdb` file (which stores machine secrets) with the `winbindd_idmap.tdb` file (which stores ID mappings), leading them to select option C incorrectly.

How to eliminate wrong answers

Option A is wrong because `/etc/group` stores Unix group definitions and GID assignments, not SID-to-Unix ID mappings; it is a local system file unrelated to Samba's ID mapping. Option C is wrong because `/var/lib/samba/private/secrets.tdb` stores machine account passwords and domain secrets (like the machine SID), not the ID mapping database used by winbindd. Option D is wrong because `/etc/passwd` stores Unix user accounts and UIDs, and while winbindd can be configured to use it for fallback, it does not contain the actual SID-to-Unix ID mappings; those are maintained in the winbindd_idmap.tdb file.

14
Multi-Selecteasy

Which TWO commands can be used to list Samba shares on a remote server?

Select 2 answers
A.smbstatus
B.nmblookup -S server
C.net view \\server
D.findsmb
E.smbclient -L //server
AnswersD, E

Correct; findsmb queries the network for Samba servers and shares.

Why this answer

Option D is correct because `findsmb` is a utility that scans the local subnet for Samba/CIFS servers and lists their shares. Option E is correct because `smbclient -L //server` queries the specified remote server for its available shares using the SMB protocol, making it a direct and reliable method for listing shares.

Exam trap

The trap here is that candidates often confuse `nmblookup -S` with a share-listing command, when in fact it only resolves NetBIOS names and displays service type flags, not actual share names.

15
Multi-Selecthard

Which TWO of the following are valid methods to join a Samba server to an Active Directory domain using Samba 4?

Select 2 answers
A.`smbpasswd -j`
B.`winbindd -j`
C.`net ads join`
D.`samba-tool domain join`
E.`net rpc join`
AnswersC, D

The net ads command is used for AD joins.

Why this answer

Option C is correct because `net ads join` is the traditional Samba tool for joining an Active Directory domain using the LDAP and Kerberos protocols over TCP/IP, which is the standard method for Samba 3 and later versions. Option D is correct because `samba-tool domain join` is the native Samba 4 command that directly integrates with the built-in AD domain controller functionality, allowing a Samba server to join an existing AD domain as a member server.

Exam trap

The trap here is that candidates often confuse legacy NT4-style join commands (`net rpc join`) with modern AD join methods, or incorrectly assume that `smbpasswd` or `winbindd` have built-in join capabilities, when in fact only `net ads join` and `samba-tool domain join` are valid for Samba 4 AD joins.

16
MCQmedium

An organization uses a Samba server as a standalone file server. The share 'Projects' is configured with browseable = yes and guest ok = no. Users authenticate with local Samba accounts. A new employee needs access but cannot authenticate. The administrator added the user with 'smbpasswd -a newuser' and set a password. When the user tries to connect, they get 'NT_STATUS_LOGON_FAILURE'. The administrator verifies the username and password are correct. smb.conf includes: security = user, passdb backend = tdbsam. What is the most likely cause?

A.The 'null passwords' parameter is set to 'yes'.
B.The 'map to guest' parameter is set to 'Bad User'.
C.The 'encrypt passwords' parameter is set to 'no'.
D.The user account is not in the system's /etc/passwd.
AnswerD

Samba needs a system account for UID mapping; missing account causes logon failure.

Why this answer

The correct answer is D because Samba with `passdb backend = tdbsam` stores user credentials in its own TDB database, but it still requires the user to exist as a local system account in `/etc/passwd` (or equivalent) for authentication to succeed. The `smbpasswd -a` command only adds the user to the Samba password database; if the user is not present in `/etc/passwd`, the authentication attempt fails with `NT_STATUS_LOGON_FAILURE` because Samba cannot map the session to a valid Unix UID.

Exam trap

The trap here is that candidates assume `smbpasswd -a` alone creates a fully functional Samba user, but it only updates the password backend; the underlying Unix account must exist in `/etc/passwd` for authentication to proceed.

How to eliminate wrong answers

Option A is wrong because `null passwords = yes` would allow blank passwords, which is irrelevant to a user who has a non‑blank password set via `smbpasswd`. Option B is wrong because `map to guest = Bad User` would map failed authentication attempts to the guest account, but the share has `guest ok = no`, so guest access is denied; moreover, the error is `NT_STATUS_LOGON_FAILURE`, not a guest mapping. Option C is wrong because `encrypt passwords = no` would disable NTLM password hashing, but modern Samba (with `security = user` and `tdbsam`) defaults to encrypted passwords, and setting it to `no` would cause a different error (e.g., `NT_STATUS_ACCESS_DENIED`), not a logon failure.

17
MCQmedium

A Samba server is configured with 'security = ads' and joined to an Active Directory domain. Users report that SIDs are not being resolved correctly. Which service and configuration file are critical for ID mapping?

A.smbd and /etc/samba/smb.conf
B.winbind and /etc/security/pam_winbind.conf
C.nmbd and /etc/samba/smb.conf
D.winbind and /etc/samba/smb.conf
AnswerD

Correct; Winbind provides ID mapping and uses smb.conf for settings.

Why this answer

When Samba is configured with 'security = ads' and joined to an Active Directory domain, the winbind service is responsible for resolving Windows SIDs to Unix UIDs/GIDs and vice versa. The critical configuration for ID mapping is defined in the 'idmap config' directives within /etc/samba/smb.conf, making winbind and smb.conf the correct pair. Without winbind running and proper idmap configuration, SID resolution will fail.

Exam trap

The trap here is that candidates confuse winbind's role in authentication (PAM) with its role in ID mapping, leading them to choose /etc/security/pam_winbind.conf instead of /etc/samba/smb.conf for the critical configuration file.

How to eliminate wrong answers

Option A is wrong because smbd handles file sharing and authentication, not SID-to-UID/GID resolution; ID mapping is managed by winbind. Option B is wrong because /etc/security/pam_winbind.conf configures PAM integration for authentication, not the ID mapping backend; the core ID mapping configuration resides in /etc/samba/smb.conf. Option C is wrong because nmbd handles NetBIOS name resolution and browsing, not ID mapping or SID resolution; winbind is the required service.

18
Multi-Selecthard

Which THREE configuration directives are necessary to enable Winbind for Active Directory authentication on a Samba domain member?

Select 3 answers
A.security = ads
B.winbind use default domain = yes
C.realm = EXAMPLE.COM
D.workgroup = EXAMPLE
E.idmap config * : range = 10000-20000
AnswersA, C, E

Correct; enables Active Directory domain membership.

Why this answer

Option A is correct because setting 'security = ads' tells Samba to operate as an Active Directory domain member, using Kerberos for authentication and LDAP for identity lookups. This directive is mandatory for Winbind to communicate with an AD domain controller.

Exam trap

The trap here is that candidates often confuse 'workgroup' with 'realm' or assume 'winbind use default domain = yes' is mandatory, when in fact only 'security = ads', 'realm', and an idmap range are strictly required for basic Winbind AD integration.

19
Multi-Selectmedium

Which TWO of the following are common symptoms of a misconfigured winbind service when Samba is joined to an Active Directory domain?

Select 2 answers
A.`net ads join` fails with 'access denied'.
B.Domain users cannot authenticate via SSH.
C.`getent passwd` does not list domain users.
D.`wbinfo -u` returns a list of domain users but `getent passwd` does not.
AnswersC, D

This indicates winbind NSS module is not working.

Why this answer

When winbind is misconfigured, the Name Service Switch (NSS) module may not be properly set up to query winbind for domain users. This means `getent passwd` will not return domain users even if winbind itself can enumerate them via `wbinfo -u`. The core issue is that NSS is not configured to use the `winbind` source in `/etc/nsswitch.conf`, or the winbind service is not correctly communicating with the NSS subsystem.

Exam trap

The trap here is that candidates assume `wbinfo -u` and `getent passwd` should always return the same results, but they do not realize that `wbinfo` bypasses NSS and directly queries winbind, while `getent` relies on the NSS configuration.

20
MCQhard

A company uses a Samba server (version 4.12) on Ubuntu 20.04 to provide file sharing for the engineering department. The server has a share [projects] defined in smb.conf with the following parameters: `path = /srv/projects`, `valid users = @engineers`, `read only = no`, `create mask = 0660`, `directory mask = 0770`. All users in the engineers group can authenticate and list the share contents but they report that they cannot create new files or modify existing ones. The command `ls -ld /srv/projects` shows `drwxrwxr-x`, and the directory is owned by root:engineers. The sysadmin has confirmed that the file system permissions on /srv/projects are set to 2775, but the setgid bit does not appear in the ls output. Additionally, users are able to create files in other shares on the same server that are configured similarly. Which of the following is the most likely cause and solution?

A.The valid users parameter should be changed to include '%engineers' instead of '@engineers'.
B.The create mask is too restrictive. Change it to 0666 to allow more permissions.
C.The directory lacks the setgid bit and new files do not inherit the engineers group. Add `force group = engineers` and `inherit permissions = yes` to the share configuration.
D.The parameter `read only = no` is being overridden by a global setting. Add `writable = yes` to the share.
AnswerC

This forces new files to have the engineers group and propagates the setgid behavior, ensuring group write for all users.

Why this answer

The directory permissions shown (drwxrwxr-x) indicate the setgid bit is not set (missing 's' in group execute position). Without the setgid bit, new files inherit the user's primary group, which may not be 'engineers'. Additionally, files created by other users have wrong group, preventing group write.

Adding `force group = engineers` forces all new files to have the engineers group, and `inherit permissions = yes` ensures the setgid behavior. Option A would weaken security. Option B uses incorrect syntax.

Option D is incorrect because `read only = no` and `writable = yes` are equivalent.

21
Drag & Dropmedium

Arrange the steps to configure a Linux system as an Apache virtual host.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

First create document root, then create site config, enable it, reload, and test.

22
MCQmedium

Refer to the exhibit. A user in the group 'staff' attempts to access the share 'share' from a Windows client. The user is prompted for credentials and authenticates successfully, but cannot write any files. What is the most likely reason?

A.The passdb backend is set to tdbsam, which does not support write operations.
B.The share has guest ok = No, which prevents guest access.
C.The valid users parameter does not include the user.
D.The share has read only = Yes, which prevents writes even for authenticated users.
AnswerD

The 'read only' parameter overrides all write permissions.

Why this answer

Option D is correct because the `read only = Yes` parameter in a Samba share definition explicitly prevents all write operations, even for authenticated users. When this parameter is set, Samba enforces read-only access at the share level, overriding any user or group permissions that might otherwise allow writes. Since the user authenticates successfully but cannot write, the most direct cause is this share-level restriction.

Exam trap

The trap here is that candidates often overlook the `read only = Yes` parameter and instead focus on authentication or user inclusion, assuming that successful authentication implies write access, but Samba's share-level read-only flag overrides all user permissions.

How to eliminate wrong answers

Option A is wrong because `passdb backend = tdbsam` is a valid backend that fully supports write operations; it stores user credentials and does not affect file write permissions. Option B is wrong because `guest ok = No` only disables guest (anonymous) access, requiring authentication, which the user has already completed successfully. Option C is wrong because if `valid users` did not include the user, the user would be denied access entirely (not prompted for credentials or allowed to authenticate), and the question states the user authenticates successfully.

23
Multi-Selecteasy

Which TWO files are commonly used by Samba for configuration and user authentication? (Choose two.)

Select 2 answers
A./etc/samba/smbusers
B./etc/passwd
C./etc/samba/smbpasswd
D./etc/hosts.allow
E./etc/samba/smb.conf
AnswersC, E

Stores Samba user passwords.

Why this answer

Option C is correct because `/etc/samba/smbpasswd` is the traditional Samba password file used for user authentication in Samba's own encrypted password format (LM/NT hashes). Option E is correct because `/etc/samba/smb.conf` is the primary Samba configuration file that defines shares, global settings, and security parameters. Both files are essential for Samba's operation: `smb.conf` controls the server behavior, while `smbpasswd` stores user credentials for SMB/CIFS authentication.

Exam trap

The trap here is that candidates often confuse `/etc/samba/smbusers` (user mapping) with authentication files, or mistakenly think `/etc/passwd` is a Samba-specific file, when in fact Samba uses its own password storage separate from the system's `/etc/passwd`.

24
MCQeasy

In Samba 4, what is the default security mode when no 'security' parameter is set in the [global] section?

A.ads
B.share
C.domain
D.user
AnswerD

Samba defaults to user-level security.

Why this answer

In Samba 4, when no 'security' parameter is explicitly set in the [global] section, the default security mode is 'user'. This means clients must authenticate with a valid username and password, and Samba validates credentials against the local passdb backend (e.g., tdbsam or LDAP). This default has been consistent since Samba 3.x and ensures that each connection is tied to a specific user identity.

Exam trap

The trap here is that candidates may confuse the historical 'share' security mode (which was the default in very early Samba versions) with the modern default, or mistakenly think that Samba 4 defaults to 'domain' or 'ads' because of its Active Directory integration capabilities, but the actual default remains 'user' for backward compatibility and security.

How to eliminate wrong answers

Option A is wrong because 'ads' (Active Directory Security) is not the default; it requires explicit configuration to join an Active Directory domain and uses Kerberos for authentication. Option B is wrong because 'share' security mode was deprecated in Samba 3.x and removed in Samba 4; it allowed password-less guest access per share, which is insecure and no longer supported as a security mode. Option C is wrong because 'domain' security mode is used when Samba is a domain member in a legacy NT4-style domain, but it is not the default; it requires explicit setup and is less common in modern deployments.

25
Multi-Selectmedium

Which TWO global parameters can be used to control the security mode of a Samba server?

Select 2 answers
A.security
B.map to guest
C.netbios name
D.workgroup
E.server string
AnswersA, B

Sets the security mode (user, ads, etc.).

Why this answer

The `security` parameter is the primary global setting that defines the Samba server's security mode (e.g., user, domain, ads, server). The `map to guest` parameter controls how Samba handles authentication failures by optionally mapping invalid users to the guest account, effectively modifying the security behavior. Both are global parameters that directly influence the security mode of the Samba server.

Exam trap

The trap here is that candidates may confuse `map to guest` as a non-security parameter, but it directly alters the security posture by controlling guest fallback, making it a valid global security mode control alongside `security`.

26
MCQmedium

Refer to the exhibit. A user reports that they can connect to the 'shared' share from a Windows client and read files, but cannot write any files. The share permissions on the filesystem are set to 777 on /srv/samba/shared. What is the most likely cause of the write failure?

A.The 'guest ok = yes' parameter prevents writes for authenticated users.
B.The global 'create mask = 0700' restricts the permissions of newly created files, and the share is using a default user with no write permission.
C.The 'read only = no' parameter is overridden by the 'printable = yes' in the printers share.
D.The 'browseable = yes' parameter prevents writing by design.
AnswerB

Correct. The create mask applies to all shares, and if the user does not match the owner, they may not have write access to new files.

Why this answer

Option B is correct because the global `create mask = 0700` setting in the Samba configuration restricts the permissions of newly created files to owner-only read/write/execute. When a user connects to the share, Samba maps them to a default user (e.g., `nobody` or `guest`) if no specific user mapping is configured. Since the default user is not the owner of the files, the 0700 mask prevents write access, even though the filesystem permissions on `/srv/samba/shared` are 777.

The `read only = no` in the share definition allows writes in principle, but the create mask overrides the effective permissions for file creation.

Exam trap

The trap here is that candidates assume filesystem permissions (777) alone guarantee write access, overlooking how Samba's `create mask` and `force user` settings can silently restrict effective permissions at the protocol level.

How to eliminate wrong answers

Option A is wrong because `guest ok = yes` allows guest connections but does not inherently prevent writes for authenticated users; it only affects guest access, and the issue here is about a user who can connect and read but not write. Option C is wrong because `read only = no` is not overridden by `printable = yes` in a different share (printers); each share has its own configuration, and the printers share does not affect the 'shared' share. Option D is wrong because `browseable = yes` controls whether the share appears in network browsing lists, not whether writing is allowed; write access is governed by `read only`, `writable`, and permission masks.

27
MCQmedium

Windows clients cannot see the Samba server in Network Neighborhood, but they can access shares by typing the UNC path. Which Samba daemon must be running?

A.smbd
B.samba
C.winbindd
D.nmbd
AnswerD

nmbd provides NetBIOS name resolution and browsing.

Why this answer

The nmbd daemon is responsible for NetBIOS name resolution and browsing, which enables Windows clients to discover Samba servers in Network Neighborhood. When nmbd is not running, clients can still connect via UNC paths because smbd handles file sharing directly, but browsing and name resolution fail.

Exam trap

LPI often tests the distinction between smbd (file sharing) and nmbd (browsing/name resolution), trapping candidates who assume that file access implies browsing capability.

How to eliminate wrong answers

Option A is wrong because smbd provides file and print sharing services, not NetBIOS browsing or name resolution; it handles actual data transfer once a connection is established. Option B is wrong because 'samba' is not a standard daemon name; the correct daemon for browsing is nmbd, and the samba package includes multiple daemons. Option C is wrong because winbindd resolves user and group information from Windows domain controllers, not NetBIOS name resolution or browsing.

28
MCQhard

You are the administrator for a small office network with 20 Linux workstations and 5 Windows 10 clients. The company uses a Samba server (version 4.15) running on Ubuntu 22.04 to share a central directory /data with user-level security. Each user has a home directory on the server, and all users are in the 'staff' group. Recently, users have complained that they can access the /data share from Windows but cannot modify any files, even though they could before. The Samba configuration for the share is: [data] path = /data browseable = yes read only = no valid users = @staff create mask = 0660 directory mask = 0770 force group = staff You check the filesystem permissions on /data and find it is owned by root:staff with permissions 775. Files inside are owned by individual users and group staff with permissions 664. You also check smbstatus and see that users are connected as 'guest' rather than their actual username. What is the most likely cause of the problem?

A.The 'valid users = @staff' directive excludes root, so users cannot write because the share is owned by root.
B.The 'force group = staff' parameter overrides file ownership and prevents writes because the files are owned by root.
C.The global 'map to guest = Bad User' setting is causing users who mistype their password to be mapped to the guest account, losing write permissions.
D.The 'create mask = 0660' is too restrictive and prevents users from writing to existing files.
AnswerC

Correct. This is a common misconfiguration; users connect as guest if password fails, and guest may not have write access.

Why this answer

The 'map to guest = Bad User' global setting in Samba causes any user who fails authentication (e.g., due to a typo or incorrect password) to be mapped to the guest account. Since the share does not define a 'guest ok' or 'guest only' setting, and the guest account typically has no write permissions on the /data directory, users connected as guest cannot modify files. The smbstatus output confirming users are connected as 'guest' directly points to this misconfiguration.

Exam trap

The trap here is that candidates often focus on filesystem permissions or mask values, overlooking the global 'map to guest' setting which silently downgrades authenticated users to guest, stripping write access despite correct share-level permissions.

How to eliminate wrong answers

Option A is wrong because the 'valid users = @staff' directive does not exclude root; root is not a member of staff by default, but the share is owned by root:staff, and root can always access files regardless of valid users. Option B is wrong because 'force group = staff' only changes the group of new files to staff, not ownership, and does not prevent writes; it actually helps ensure group write permissions apply. Option D is wrong because 'create mask = 0660' only affects the permissions of newly created files, not existing files; users cannot modify existing files due to guest mapping, not the mask.

29
MCQeasy

After modifying smb.conf, which command should be used to verify the configuration syntax before restarting Samba?

A.net conf
B.testparm
C.smbpasswd
D.smbcontrol
AnswerB

testparm validates the smb.conf syntax.

Why this answer

The correct command is `testparm`, which is specifically designed to parse and validate the syntax of the Samba configuration file `smb.conf`. It checks for errors such as misspelled parameters, invalid values, or structural issues without requiring the Samba services to be restarted. This ensures that any syntax problems are caught before applying changes to the running Samba daemons (smbd, nmbd, winbindd).

Exam trap

The trap here is that candidates may confuse `testparm` with `smbcontrol reload-config`, thinking that reloading the configuration also validates syntax, but `smbcontrol` does not perform syntax checking and will silently apply a broken configuration if the daemon accepts it, potentially causing undefined behavior.

How to eliminate wrong answers

Option A is wrong because `net conf` is used to manage Samba configuration stored in a registry-like database (e.g., via `net conf setparm` or `net conf drop`), not to validate the syntax of a traditional `smb.conf` file. Option C is wrong because `smbpasswd` is used to manage Samba user passwords and the encrypted password database (smbpasswd file or tdbsam), not to verify configuration syntax. Option D is wrong because `smbcontrol` is used to send control messages (e.g., reload-config, shutdown) to running Samba daemons, not to perform static syntax checking of the configuration file.

30
MCQeasy

Which legacy SMB protocol version should be disabled for security best practices on a modern Samba server?

A.SMB2_02
B.SMB3
C.SMB2
D.SMB1
AnswerD

SMB1 (CIFS) is insecure and should be disabled.

Why this answer

SMB1 (also known as CIFS) is a legacy protocol that lacks modern security features such as pre-authentication integrity, encryption, and secure dialect negotiation. It is notoriously vulnerable to attacks like EternalBlue and SMB relay, and disabling it is a fundamental security best practice on any modern Samba server. Samba allows disabling SMB1 via the 'server min protocol = SMB2' or 'ntlm auth = no' directives in smb.conf.

Exam trap

The trap here is that candidates may confuse 'legacy' with any older protocol version, such as SMB2_02 or SMB2, and fail to recognize that SMB1 is uniquely dangerous due to its lack of encryption and signing, while SMB2 and SMB3 are considered secure enough for modern use.

How to eliminate wrong answers

Option A is wrong because SMB2_02 is an early sub-version of SMB2 that, while older, is still part of the SMB2 family and does not carry the same severe security vulnerabilities as SMB1; disabling SMB1 is the priority, not SMB2_02. Option B is wrong because SMB3 (and its variants like SMB3.0, SMB3.1.1) is the most modern and secure SMB protocol, supporting encryption, signing, and secure dialect negotiation, and should be enabled, not disabled. Option C is wrong because SMB2 is a significant security improvement over SMB1, introducing features like message signing and credit-based flow control; while older than SMB3, it is not inherently insecure and is often kept as a fallback, whereas SMB1 is the legacy protocol that must be disabled.

31
MCQmedium

A company recently upgraded their Samba server from version 4.8 to 4.13. Users report that they can connect to shares but cannot write files. The Samba team verified that the share configuration has 'writable = yes' and the Linux filesystem permissions are correct (777). Which global parameter is most likely causing the issue?

A.security = user
B.server min protocol = SMB2_02
C.map to guest = Bad User
D.workgroup = EXAMPLE
AnswerB

Setting a minimum protocol may cause SMB1 clients to fail write operations if the server does not support SMB1.

Why this answer

The correct answer is B because Samba 4.13 defaults to requiring SMB3_11 as the minimum protocol, but the client may be negotiating SMB2_02 or higher. With 'server min protocol = SMB2_02', Samba allows SMB2 connections, which lack the durable handle and lease support needed for write operations in certain configurations, or the client may be using an older SMB dialect that does not support the required write semantics. The upgrade from 4.8 to 4.13 changed the default minimum protocol from SMB2_02 to SMB3_11, and setting it explicitly to SMB2_02 can cause write failures if the client or share relies on SMB3 features like persistent handles or encryption.

Exam trap

The trap here is that candidates assume 'writable = yes' and correct filesystem permissions are sufficient, overlooking that Samba's protocol version defaults changed between major releases, causing write failures due to missing SMB3 features.

How to eliminate wrong answers

Option A is wrong because 'security = user' is a common and correct setting for Samba user-level authentication and does not affect write permissions; it controls how users are authenticated, not file write capability. Option C is wrong because 'map to guest = Bad User' only affects how guest access is mapped for invalid users and does not impact write permissions for authenticated users; it is unrelated to the write failure. Option D is wrong because 'workgroup = EXAMPLE' simply sets the NetBIOS workgroup name and has no effect on file write permissions or protocol negotiation.

32
MCQmedium

An administrator needs to create a Samba share that allows all users in the 'staff' group read/write access, but denies access to everyone else. Which configuration achieves this?

A.[share]\n path = /data\n read list = staff\n read only = yes
B.[share]\n path = /data\n valid users = @staff\n read only = no
C.[share]\n path = /data\n valid users = staff\n read only = yes
D.[share]\n path = /data\n write list = @staff\n browseable = yes
AnswerB

This restricts access to the staff group and grants read/write.

Why this answer

Option B is correct because it uses `valid users = @staff` to restrict access exclusively to members of the 'staff' group, and `read only = no` grants read/write permissions to those valid users. The `@` prefix in Samba denotes a group, ensuring only group members can connect, while `read only = no` overrides the default read-only behavior to allow writes.

Exam trap

The trap here is that candidates often forget the `@` prefix for group names in Samba, mistaking a plain group name for a valid user list, or they assume `write list` alone restricts access without realizing it only adds write privileges to users who already have read access.

How to eliminate wrong answers

Option A is wrong because `read list = staff` only grants read access to the 'staff' group, but `read only = yes` makes the share read-only for everyone, so no write access is possible. Option C is wrong because `valid users = staff` (without the `@` prefix) treats 'staff' as a username, not a group, so it would only allow a user named 'staff' to connect, not the group; additionally, `read only = yes` prevents writes. Option D is wrong because `write list = @staff` grants write access to the 'staff' group, but without a `valid users` directive, other users can still connect (e.g., as guests) and may have read access depending on global settings, failing to deny access to everyone else.

33
MCQeasy

Refer to the exhibit. A user attempts to access the 'public' share without authentication. What will be the outcome?

A.Access denied because security = user
B.Access granted as guest because map to guest = Bad User and guest ok = yes
C.Access denied because read only = yes
D.Access granted with full read/write because guest ok = yes
AnswerB

Correct; guest access is enabled.

Why this answer

Option B is correct because the Samba configuration combines `map to guest = Bad User` with `guest ok = yes`. When a user attempts to access the 'public' share without authentication, Samba treats the connection as a guest due to the 'Bad User' mapping (since no valid credentials were provided). The `guest ok = yes` directive then explicitly grants access to the share, allowing the user to connect as the guest account (typically 'nobody').

Exam trap

The trap here is that candidates assume `security = user` always blocks unauthenticated access, overlooking the fact that `map to guest = Bad User` can override this by redirecting failed logins to the guest account, especially when combined with `guest ok = yes`.

How to eliminate wrong answers

Option A is wrong because `security = user` alone does not deny guest access; it only requires user-level authentication for non-guest connections, but the `map to guest = Bad User` and `guest ok = yes` override this for unauthenticated users. Option C is wrong because `read only = yes` only restricts write operations, not read access; it does not prevent a guest from connecting and reading files. Option D is wrong because `guest ok = yes` grants access but does not automatically provide full read/write permissions; the `read only = yes` directive in the share definition restricts write access, so the user would only have read access.

34
MCQeasy

An administrator configures a Samba share with guest access. After testing, guests are prompted for a password. Which directive should be added to the [global] section to allow guest access without a password?

A.guest account = nobody
B.map to guest = Bad User
C.security = user
D.encrypt passwords = yes
AnswerB

Correct; maps unknown users to guest, enabling password-less guest access.

Why this answer

The 'map to guest = Bad User' directive in the [global] section tells Samba to automatically map any login attempt with an invalid username to the guest account, bypassing password authentication. This is the correct setting to allow guest access without a password prompt, as it treats unknown users as guests.

Exam trap

The trap here is that candidates often confuse 'guest account = nobody' with enabling guest access, but it only defines the Unix account used for guest operations, not the mechanism to bypass password prompts.

How to eliminate wrong answers

Option A is wrong because 'guest account = nobody' only sets the Unix account used for guest access (typically 'nobody'), but does not enable guest access or bypass password prompts; it must be combined with 'map to guest' or 'security = share' (deprecated). Option C is wrong because 'security = user' is the default mode requiring valid user credentials and passwords, which would still prompt guests for a password unless 'map to guest' is also set. Option D is wrong because 'encrypt passwords = yes' enables encrypted password negotiation (SMB dialect), but does not affect whether guest access is allowed without a password; it is unrelated to guest mapping.

35
MCQhard

Based on the smbstatus output, which statement is true?

A.User 'alice' connected from IP 192.168.1.10 using SMB3 protocol
B.Both users are using SMB2 protocol
C.User 'bob' is accessing share2 with write permissions
D.User 'alice' has an exclusive lock on report.pdf
AnswerA

The machine column shows win10-pc (192.168.1.10) and protocol version SMB3_11.

Why this answer

Option A is correct because the smbstatus output shows that user 'alice' is connected from IP address 192.168.1.10 and the 'Protocol' column explicitly lists 'SMB3_02', which is a variant of the SMB3 protocol. This directly matches the statement in option A.

Exam trap

The trap here is that candidates may assume 'DENY_NONE' implies no lock at all, but it actually means a lock is present that denies no access, which is the opposite of an exclusive lock; LPI often tests the distinction between share mode lock types in smbstatus output.

How to eliminate wrong answers

Option B is wrong because the smbstatus output shows user 'alice' using SMB3_02 protocol, not SMB2; user 'bob' is using SMB2_10, so they are not both using SMB2. Option C is wrong because the output shows user 'bob' accessing 'share2' but the 'Permissions' column for that share is 'R', indicating read-only access, not write permissions. Option D is wrong because the output shows user 'alice' has a 'DENY_NONE' lock on 'report.pdf', which means no exclusive lock is held; an exclusive lock would be 'DENY_ALL' or 'DENY_WRITE'.

36
Multi-Selectmedium

Which TWO parameters are used to control Samba's printer sharing? (Choose two.)

Select 2 answers
A.printer name
B.printable
C.printing
D.load printers
E.use client driver
AnswersB, D

Share-level parameter to define a printer share.

Why this answer

The `printable` parameter in Samba's smb.conf marks a share as a printer, enabling clients to send print jobs to it. The `load printers` parameter, when set to 'yes', automatically loads all printers from the system's printcap file into Samba's browse list, making them available for sharing without manual configuration.

Exam trap

The trap here is that candidates often confuse 'printable' with 'printing' or think 'printer name' is a valid parameter, but the exam tests the specific Samba directives that enable printer sharing, not the backend or naming conventions.

37
MCQhard

A Samba server experiences slow file transfers for large files. The administrator suspects oplock issues. Which set of parameters should be adjusted to disable opportunistic locking?

A.oplocks = false alone is sufficient
B.strict locking = yes
C.kernel oplocks = no
D.oplocks = no and level2 oplocks = no
AnswerD

Setting both disables all oplocks, improving performance for some workloads.

Why this answer

Option D is correct because disabling opportunistic locking (oplocks) in Samba requires setting both 'oplocks = no' and 'level2 oplocks = no'. The 'oplocks = no' directive disables exclusive oplocks, but Samba's default behavior still allows level2 oplocks (read-only caching). To fully disable all forms of oplock caching, both parameters must be set to 'no', preventing client-side caching that can cause conflicts and slow transfers for large files.

Exam trap

The trap here is that candidates assume setting 'oplocks = no' alone is sufficient, overlooking that Samba's default behavior enables level2 oplocks separately, requiring both parameters to be explicitly disabled.

How to eliminate wrong answers

Option A is wrong because setting 'oplocks = false' alone only disables exclusive oplocks; level2 oplocks remain enabled by default, allowing read caching that can still cause oplock breaks and performance issues. Option B is wrong because 'strict locking = yes' enforces byte-range locking checks on every read/write, which actually increases overhead and slows transfers, rather than disabling oplocks. Option C is wrong because 'kernel oplocks = no' disables kernel-level oplock support (used with NFS or local file systems), but does not affect Samba's own oplock mechanism; it is unrelated to disabling Samba's opportunistic locking.

38
MCQeasy

A Samba share is configured with 'browseable = yes' but Windows clients cannot see it in the network list. However, they can access it by typing the UNC path directly. Which parameter is most likely misconfigured?

A.os level
B.netbios name
C.local master
D.server string
AnswerC

This controls whether the server attempts to become the local master browser.

Why this answer

The 'local master' parameter controls whether the Samba server participates in the election for the local master browser on the subnet. If set to 'no', the Samba server will not become the master browser, and Windows clients rely on the master browser to populate the network list. Since clients can access the share via UNC path but not see it in the network list, the browsing service is failing, which is directly tied to the local master setting.

Exam trap

LPI often tests the distinction between 'browseable' (which controls visibility of individual shares) and 'local master' (which controls the server's presence in the network browse list), causing candidates to confuse share-level visibility with server-level browsing.

How to eliminate wrong answers

Option A is wrong because 'os level' influences the priority in browser elections but does not directly prevent the share from appearing in the network list; a low os level might lose an election but the server can still be a backup browser. Option B is wrong because 'netbios name' defines the server's NetBIOS name for identification; if misconfigured, the server would not be reachable by UNC path either. Option D is wrong because 'server string' is a descriptive comment shown in the network list; it does not affect whether the server appears at all.

39
MCQeasy

What is the most likely error in the configuration?

A.Section name '[share]' is invalid
B.Case sensitivity of parameter names
C.Parameter 'security mode' should be 'security'
D.Missing quotation marks around comment
AnswerC

The correct parameter is 'security', not 'security mode'.

Why this answer

Option C is correct because the Samba configuration parameter for setting the security mode is simply 'security', not 'security mode'. The correct syntax is 'security = user' (or share, server, domain, ads). Using 'security mode' is an invalid parameter name that Samba will ignore or treat as an error, causing the configuration to fail or behave unexpectedly.

Exam trap

The trap here is that candidates may assume parameter names can include spaces or that 'security mode' is a valid multi-word parameter, when in fact Samba uses single-word parameters with underscores for multi-word concepts (e.g., 'security' not 'security mode').

How to eliminate wrong answers

Option A is wrong because section names like '[share]' are valid in Samba; they define a share resource and are not inherently invalid. Option B is wrong because Samba parameter names are case-insensitive, so case sensitivity is not the issue here. Option D is wrong because quotation marks around comment values are optional in Samba; they are only needed if the comment contains spaces or special characters, but their absence is not an error.

40
MCQhard

A Samba share uses the 'acl_xattr' VFS module to store NT ACLs in extended attributes. The administrator runs 'getfattr -d /srv/share/file.txt' and sees no system attributes related to NT ACLs. What is the most likely cause?

A.The VFS module is not loaded globally.
B.The filesystem is not mounted with the 'user_xattr' option.
C.The share does not have 'nt acl support = yes' set.
D.The file's extended attributes are stored in a different namespace.
AnswerB

Extended attributes require the user_xattr mount option.

Why this answer

The 'acl_xattr' VFS module stores NT ACLs in extended attributes within the 'system' namespace. If 'getfattr -d' shows no system attributes, the most likely cause is that the underlying filesystem is not mounted with the 'user_xattr' option, which is required to enable extended attribute support. Without this mount option, the filesystem cannot store or retrieve extended attributes, so the NT ACL data is not persisted.

Exam trap

The trap here is that candidates often confuse the 'user_xattr' mount option with the 'user' namespace for extended attributes, assuming it only affects user-defined attributes, when in fact it enables all extended attribute support on the filesystem.

How to eliminate wrong answers

Option A is wrong because the 'acl_xattr' VFS module is typically loaded per share in the Samba configuration, not globally; even if it were global, the absence of system attributes points to a filesystem-level issue, not a Samba module loading problem. Option C is wrong because 'nt acl support = yes' is a separate parameter that enables Samba to map NT ACLs to POSIX ACLs, but it does not affect the storage of extended attributes; the 'acl_xattr' module handles that storage. Option D is wrong because the 'acl_xattr' module stores NT ACLs in the 'system' namespace (e.g., 'system.ntfs_acl'), not in a different namespace; if the attributes were in a different namespace, 'getfattr -d' would still show them unless the namespace is explicitly excluded.

41
MCQeasy

Which Samba component provides NetBIOS name resolution and browsing services?

A.swat
B.smbd
C.nmbd
D.winbind
AnswerC

nmbd handles NetBIOS name services and browsing.

Why this answer

The nmbd daemon is the Samba component responsible for NetBIOS name resolution and browsing services. It listens for NetBIOS name service requests (port 137/UDP) and datagram distribution (port 138/UDP), enabling Windows clients to resolve NetBIOS names to IP addresses and participate in network browsing (e.g., listing shares in Network Neighborhood). Without nmbd, Samba cannot provide legacy NetBIOS-based name resolution or browse lists, though modern Samba can also use DNS-based discovery.

Exam trap

The trap here is that candidates often confuse smbd (the core file-sharing daemon) with nmbd, assuming that file sharing inherently includes name resolution, but in Samba these are separate daemons with distinct roles.

How to eliminate wrong answers

Option A is wrong because swat (Samba Web Administration Tool) is a web-based configuration interface for editing smb.conf, not a daemon that provides NetBIOS name resolution or browsing. Option B is wrong because smbd handles file and print sharing services (SMB/CIFS protocol) and authentication, but does not perform NetBIOS name resolution or browsing. Option D is wrong because winbind is a component that integrates Samba with Windows domain authentication (e.g., resolving user/group IDs from Active Directory), not NetBIOS name resolution or browsing.

42
MCQmedium

An organization runs a Samba server in standalone mode. They want to allow anonymous (guest) access to a public share. Which configuration option enables guest access for a share?

A.anonymous = yes
B.security = share
C.guest account = nobody
D.map to guest = Bad User and guest ok = yes
AnswerD

This maps unknown users to the guest account and allows guest access.

Why this answer

Option D is correct because Samba requires both `map to guest = Bad User` (which tells Samba to treat any connection attempt with an invalid username as a guest connection) and `guest ok = yes` (which explicitly permits guest access to the share). Without both, anonymous access will be denied. The `map to guest` directive can also be set to `Bad Password` or `Never`, but `Bad User` is the typical choice for public shares.

Exam trap

The trap here is that candidates often think `security = share` or `guest account = nobody` alone enables guest access, but Samba requires both the global `map to guest` directive and the per‑share `guest ok = yes` to actually allow anonymous connections.

How to eliminate wrong answers

Option A is wrong because `anonymous = yes` is not a valid Samba configuration parameter; Samba uses `guest ok` and `map to guest` instead. Option B is wrong because `security = share` was a legacy Samba security mode (removed in Samba 4.x) that allowed per-share password authentication but did not itself enable guest access; modern Samba uses `security = user` or `security = ads`. Option C is wrong because `guest account = nobody` only specifies which Unix account is used for guest privileges (default is `nobody`), but it does not enable guest access; the share must also have `guest ok = yes` and the global `map to guest` setting must be configured.

43
MCQhard

A company has a Samba server configured as a domain member in an Active Directory domain. The server runs Samba 4.13. Recently, Windows clients have been unable to access shares, and the domain join seems broken. The administrator runs 'net ads testjoin' and gets 'Join to domain is not valid'. The smb.conf includes: security = ads, realm = EXAMPLE.COM, workgroup = EXAMPLE. The administrator can successfully resolve the domain controller via DNS. What should the administrator do to fix the issue?

A.Re-run 'net ads join -U administrator' to rejoin the domain.
B.Restart the winbind service and run 'wbinfo -t'.
C.Add 'kerberos method = secrets and keytab' to smb.conf.
D.Increase the 'log level' to 3 and restart smbd.
AnswerA

This re-establishes the domain membership.

Why this answer

The 'net ads testjoin' command returned 'Join to domain is not valid', which indicates the machine account password stored in the local secrets.tdb file no longer matches the one in Active Directory. Re-running 'net ads join -U administrator' re-establishes the secure channel by resetting the machine account password and updating the Kerberos keytab, restoring the domain membership.

Exam trap

The trap here is that candidates often confuse a broken domain join with a simple service restart or trust test, but the 'Join to domain is not valid' error specifically indicates the machine account credentials are invalid and require a fresh join.

How to eliminate wrong answers

Option B is wrong because restarting winbind and running 'wbinfo -t' only tests the trust relationship with the domain controller but does not repair a broken machine account password; it would still fail if the join is invalid. Option C is wrong because 'kerberos method = secrets and keytab' is the default behavior in Samba 4.13 and adding it explicitly does not fix a corrupted machine account; the issue is not a missing Kerberos method configuration. Option D is wrong because increasing the log level and restarting smbd only provides more verbose logging for debugging but does not resolve the underlying broken domain join; it is a diagnostic step, not a fix.

44
Multi-Selectmedium

Which TWO of the following are valid ways to map a Windows user to a Linux account in Samba?

Select 2 answers
A.Using a 'username map' file specified by the 'username map' parameter
B.Using 'force user' in the share definition
C.Using the 'map user' command in smbpasswd
D.Setting 'winbind use default domain = yes'
E.Using the 'valid users' directive in smb.conf
AnswersA, B

Maps Windows usernames to Linux usernames

Why this answer

Option A is correct because the 'username map' parameter in smb.conf specifies a file (e.g., /etc/samba/smbusers) that maps Windows usernames to Linux usernames. This allows Samba to translate incoming Windows user credentials to a corresponding Linux account for authentication and file access.

Exam trap

The trap here is that candidates confuse 'force user' (which overrides the authenticated user for file operations) with a mapping mechanism, when in fact it does not map Windows users to Linux accounts but instead forces all connections to run as a specific Linux user.

45
MCQmedium

A client reports that the [public] share is visible but all files appear read-only. What is the cause?

A.The create mask = 0755 denies write permissions.
B.The read only = yes parameter forces read-only access.
C.The guest account nobody has no write permission on the file system.
D.The map to guest = Bad User is causing all users to be treated as guest.
AnswerB

Setting read only = yes makes the share read-only regardless of other permissions.

Why this answer

Option B is correct because the `read only = yes` parameter in a Samba share definition explicitly forces all files to appear read-only to clients, regardless of underlying filesystem permissions. This overrides any other permission settings and is the direct cause of the reported behavior where the share is visible but all files are read-only.

Exam trap

The trap here is that candidates often confuse filesystem permissions (like write bits or ACLs) with Samba share-level parameters, assuming that if the guest account lacks write permission, files would appear read-only, when in fact Samba reports the read-only status based on the `read only` parameter, not the guest account's filesystem rights.

How to eliminate wrong answers

Option A is wrong because `create mask = 0755` sets the maximum allowed permissions for newly created files, but it does not prevent write access to existing files; it only affects the default permissions assigned when a file is created, and a mask of 0755 still allows the owner to write. Option C is wrong because the guest account `nobody` lacking write permission on the filesystem would cause write failures, but the symptom described is that files appear read-only (i.e., the client sees them as read-only), which is a Samba-level setting, not a filesystem permission issue. Option D is wrong because `map to guest = Bad User` causes authentication failures to map users to the guest account, but it does not force read-only access; it only affects user identity, not the read-only attribute of files.

46
MCQeasy

A Samba share is intended for guest (anonymous) access. Which global parameter must be set to allow this?

A.guest account = nobody
B.security = share
C.map to guest = Bad User
D.security = user
AnswerC

Maps unknown users to the guest account.

Why this answer

Option C is correct because the `map to guest = Bad User` parameter in Samba's global configuration forces any connection attempt with an invalid or non-existent username to be treated as a guest (anonymous) login. This is the standard way to allow anonymous access to shares while still using `security = user` (the default in modern Samba), as it maps failed authentication to the guest account.

Exam trap

The trap here is that candidates often confuse the deprecated `security = share` (which was removed in Samba 4.x) with the correct modern approach, or they think setting `guest account = nobody` alone is sufficient to enable anonymous access, when in fact `map to guest` is the key parameter that controls the mapping of failed logins to guest sessions.

How to eliminate wrong answers

Option A is wrong because `guest account = nobody` only specifies which Unix user account is used for guest privileges; it does not enable anonymous access by itself—the `map to guest` parameter must also be set. Option B is wrong because `security = share` is a deprecated Samba security mode that was removed in Samba 4.x; modern Samba requires `security = user` and uses `map to guest` to handle anonymous access. Option D is wrong because `security = user` alone requires valid credentials for every connection and does not permit anonymous access; it must be combined with `map to guest` to allow guest logins.

47
MCQeasy

A small office uses a Samba server for file sharing. The server is running Samba 4.9 on Ubuntu 18.04. Recently, the administrator added a new user 'john' to the system and added him to the 'staff' group. However, when John tries to access the share 'docs' from his Windows laptop, he gets an 'Access Denied' error. The share configuration is: [docs] path = /srv/docs valid users = @staff read only = No create mask = 0644 directory mask = 0755 The administrator verifies that John is a member of the staff group by running 'groups john' which shows staff. Other users in staff can access the share. What is the most likely cause?

A.The create mask is too restrictive for John's files.
B.The valid users parameter requires the group to be listed with a plus sign for domain groups.
C.John's Windows credentials are cached from a previous failed attempt.
D.The Samba service needs to be restarted to reload the group membership.
AnswerC

Cached credentials can cause access denied; clearing them resolves the issue.

Why this answer

Option C is correct because Samba caches user credentials and group memberships at the time of the initial connection. When John first attempted to access the share, Samba cached his credentials (including group membership) before he was added to the staff group. Even though the system now shows John as a member of staff, Samba continues to use the cached credentials, resulting in 'Access Denied'.

Clearing the cached credentials on the Windows client (e.g., via 'net use * /delete' or Credential Manager) forces a fresh authentication and group lookup.

Exam trap

The trap here is that candidates often assume Samba must be restarted or that the share configuration is incorrect, when in fact the issue is client-side credential caching—a subtle but critical detail in Samba troubleshooting.

How to eliminate wrong answers

Option A is wrong because the create mask (0644) only affects the permissions of newly created files, not the ability to access the share; John cannot even connect to the share, so file permissions are irrelevant. Option B is wrong because in Samba, the 'valid users = @staff' syntax correctly references a local Unix group; a plus sign (+) is used for domain groups in certain Samba configurations (e.g., with 'security = ads'), but this is a local group on a standalone server. Option D is wrong because Samba does not need to be restarted to reload group memberships; Samba checks group membership via the system's NSS (Name Service Switch) at authentication time, but the cached credentials on the client side override this.

48
MCQhard

Samba is integrated with Active Directory using security = ads. Which service is required for Kerberos authentication?

A.smbd
B.winbindd
C.samba
D.nmbd
AnswerA

smbd handles Kerberos authentication via GSSAPI.

Why this answer

When Samba is integrated with Active Directory using `security = ads`, Kerberos authentication is handled by the `smbd` daemon. `smbd` is responsible for authenticating incoming SMB connections, and in an AD domain it uses the Kerberos protocol (via the GSSAPI) to validate tickets presented by clients. Without `smbd`, no Kerberos-based authentication can occur for SMB/CIFS services.

Exam trap

The trap here is that candidates often confuse winbindd (which handles identity mapping) with the actual authentication daemon, or assume the generic 'samba' service is a single binary that handles everything, when in fact smbd is the specific daemon for Kerberos-based SMB authentication.

How to eliminate wrong answers

Option B (winbindd) is wrong because winbindd resolves user and group identities from AD and provides NSS/WINS lookups, but it does not perform Kerberos authentication itself — it relies on smbd to handle the actual ticket exchange. Option C (samba) is wrong because 'samba' is the umbrella name for the entire suite; the specific daemon that performs Kerberos authentication is smbd, not a generic 'samba' service. Option D (nmbd) is wrong because nmbd handles NetBIOS name resolution and browsing, not Kerberos authentication — it has no role in the Kerberos ticket exchange or AD authentication.

49
MCQmedium

A company runs Samba on a Linux server to provide file shares to Windows clients. The server is also a BIND DNS server. After a recent OS upgrade, the Samba service fails to start with the error: 'Failed to create a listening socket for port 445: Permission denied'. The administrator checks that no other service is using port 445. smbd is configured to start as root. What is the most likely cause?

A.The firewall is blocking the port even though it's internal.
B.The 'socket address' parameter is set to an invalid IP.
C.SELinux is blocking the Samba port.
D.The Samba netbios name is too long.
AnswerC

SELinux policies may prevent binding to port 445; check with 'sealert' or disable SELinux to test.

Why this answer

Option C is correct because SELinux, when enforcing, can block Samba from binding to privileged ports like 445 even when the service runs as root. The error 'Permission denied' on port 445, despite no other service using it and the firewall being open, strongly indicates SELinux is denying the bind. The SELinux boolean 'samba_port_t' or the specific port context must be enabled or relabeled for Samba to bind to port 445.

Exam trap

The trap here is that candidates often assume a 'Permission denied' error on a port must be caused by a firewall or another service already binding the port, overlooking SELinux's mandatory access control which can deny the bind even when the port is free and the process runs as root.

How to eliminate wrong answers

Option A is wrong because the firewall would typically produce a 'connection refused' or timeout error, not a 'Permission denied' on the bind syscall; the error occurs at the socket creation level before any network filtering. Option B is wrong because an invalid 'socket address' parameter would cause a different error (e.g., 'Cannot assign requested address') or a failure to resolve the IP, not a generic 'Permission denied' on port 445. Option D is wrong because a NetBIOS name length (max 15 characters) does not affect socket binding; it would cause a NetBIOS name resolution or registration error, not a port bind failure.

50
MCQhard

An organization is using Samba as a PDC with an LDAP backend for user accounts. Which idmap backend configuration is appropriate for RFC 2307?

A.idmap config * : backend = tdb
B.idmap config * : backend = ad
C.idmap config * : backend = rid
D.idmap config * : backend = ldap
AnswerD

ldap backend stores mapping in LDAP.

Why this answer

When Samba is configured as a PDC with an LDAP backend for user accounts and RFC 2307 is used, the idmap backend must be set to `ldap` to store and retrieve Unix UID/GID mappings directly from the LDAP directory. This ensures that the POSIX attributes (uidNumber, gidNumber) defined in LDAP are used consistently across all Samba clients, which is the core requirement of RFC 2307.

Exam trap

The trap here is that candidates often confuse the `ldap` idmap backend (used for RFC 2307 with a PDC) with the `ad` backend (used for Active Directory domain membership), or incorrectly assume that a local `tdb` or algorithmic `rid` backend can work with a centralized LDAP user store.

How to eliminate wrong answers

Option A is wrong because `tdb` is a local file-based backend that stores ID mappings in a trivial database, which does not integrate with an LDAP directory and cannot provide centralized, RFC 2307-compliant mappings. Option B is wrong because `ad` is designed for Samba as an Active Directory domain member, not as a PDC with an LDAP backend, and it relies on AD-specific attributes rather than RFC 2307 schema. Option C is wrong because `rid` algorithmically generates UIDs/GIDs from the Windows RID, which bypasses the LDAP directory and cannot honor the explicit uidNumber/gidNumber values defined in RFC 2307.

51
Multi-Selectmedium

Which TWO parameters in the [global] section are REQUIRED for a Samba server to act as a standalone server (not a member of a domain)?

Select 2 answers
A.server string
B.workgroup
C.security = user
D.netbios name
E.passdb backend = tdbsam
AnswersB, C

Correct; must be set to define the workgroup.

Why this answer

For a Samba standalone server, the `workgroup` parameter defines the NetBIOS workgroup name that the server will appear in, which is essential for browsing and identification on the local network. The `security = user` parameter is required because it sets the server to authenticate users locally against its own passdb backend, rather than relying on an external domain controller. Without these two, the server cannot function as a standalone unit.

Exam trap

The trap here is that candidates often think `passdb backend` must be explicitly set (like `tdbsam`) or that `netbios name` is mandatory, but Samba's defaults handle these, while `workgroup` and `security = user` are the true non-negotiable parameters for standalone operation.

52
MCQeasy

A system administrator wants to configure a Samba share that grants read-only access to the 'staff' group and full control to the 'managers' group. Which share configuration achieves this?

A.[share] path = /srv/share valid users = +staff write list = @managers
B.[share] path = /srv/share valid users = @managers write list = @managers
C.[share] path = /srv/share valid users = +staff write list = +managers
D.[share] path = /srv/share valid users = @staff write list = @staff
AnswerA

Read-only for staff, write for managers

Why this answer

Option A is correct because the `valid users = +staff` directive restricts access to members of the 'staff' group (the `+` prefix means a Unix group), while the `write list = @managers` directive grants write access to members of the 'managers' group (the `@` prefix also means a Unix group). This combination ensures that 'staff' members have read-only access by default, and 'managers' members have full control (read/write).

Exam trap

The trap here is confusing the `+` and `@` prefixes for group references in Samba, leading candidates to incorrectly apply `+` in `write list` or `@` in `valid users` without understanding the subtle differences in their behavior.

How to eliminate wrong answers

Option B is wrong because `valid users = @managers` restricts access to only the 'managers' group, excluding the 'staff' group entirely, which does not grant read-only access to 'staff'. Option C is wrong because `valid users = +staff` uses the `+` prefix for a group, but `write list = +managers` uses the `+` prefix incorrectly; in Samba, `write list` expects the `@` prefix for groups, not `+`. Option D is wrong because `valid users = @staff` restricts access to only the 'staff' group, and `write list = @staff` gives write access to the same group, resulting in full control for 'staff' and no access for 'managers'.

53
MCQmedium

A Samba share is configured with 'force user = jane'. A user 'bob' accesses the share. With what effective user ID will file operations be performed?

A.root
B.jane
C.nobody
D.bob
AnswerB

All file operations use the forced user 'jane'.

Why this answer

The 'force user' directive in Samba overrides the authenticated user's identity for all file operations on the share. When 'force user = jane' is set, any user accessing the share, including 'bob', will have their effective user ID changed to 'jane' for all file reads, writes, and ownership checks. This ensures that files created or modified on the share are owned by 'jane', regardless of who actually connects.

Exam trap

The trap here is that candidates often confuse 'force user' with 'valid users' or 'guest only', mistakenly thinking the connecting user's identity is preserved for file operations, when in fact 'force user' completely overrides the effective UID.

How to eliminate wrong answers

Option A is wrong because 'force user' does not map to 'root'; root is only used if explicitly specified or if the share uses 'admin users'. Option C is wrong because 'nobody' is the default guest account when 'guest ok = yes' is set, but 'force user' overrides that mapping. Option D is wrong because 'bob' is the connecting user, but 'force user' explicitly replaces his effective UID with that of 'jane' for all file operations on the share.

54
Multi-Selecteasy

Which TWO smb.conf parameters can be used to restrict access to a share based on client IP address or network?

Select 2 answers
A.hosts deny
B.valid users
C.allow hosts
D.invalid users
E.hosts allow
AnswersA, E

This parameter specifies IP addresses or networks that are denied access.

Why this answer

The parameters hosts allow and hosts deny control IP-based access to shares. 'valid users' and 'invalid users' control user-level access, and 'allow hosts' is not a valid Samba parameter.

55
MCQmedium

A company uses Samba to share files from a Linux server to Windows clients. After upgrading Samba from version 4.10 to 4.15, some users report they cannot access shares and receive 'Access denied' errors. The smb.conf has been verified and seems correct. What is the most likely cause?

A.The firewall is blocking SMB ports.
B.The users' passwords are too short.
C.The 'ntlm auth' parameter is set to 'no' in the new version.
D.The Samba service is not running after upgrade.
AnswerC

Newer Samba versions default ntlm auth to no, breaking older clients.

Why this answer

Starting with Samba 4.11, the default value of the 'ntlm auth' parameter changed from 'yes' to 'no'. This disables NTLMv1 authentication, which many legacy Windows clients or configurations still rely on. Even though the smb.conf appears correct, the new default silently blocks NTLMv1, causing 'Access denied' errors after the upgrade.

Exam trap

The trap here is that candidates assume the upgrade preserved all default settings, but Samba silently changes critical security defaults between major versions, and the 'Access denied' error is easily misattributed to firewall or service issues.

How to eliminate wrong answers

Option A is wrong because the firewall blocking SMB ports (typically 139/tcp and 445/tcp) would prevent any connection at all, not selectively cause 'Access denied' after authentication. Option B is wrong because Samba does not enforce a minimum password length by default; password length is a policy set in smb.conf or via PAM, not a version-specific change. Option D is wrong because if the Samba service were not running, users would receive 'network path not found' or 'connection refused' errors, not 'Access denied'.

56
MCQhard

Refer to the exhibit. A user cannot connect to the 'share2' Samba share. What is the most likely cause?

A.The Samba service is not running.
B.The user does not have permission to read the share.
C.The share name is too long.
D.The share path does not exist or is not accessible.
AnswerD

Correct; the path cannot be accessed, causing the failure.

Why this answer

Option D is correct because the most common cause of a user being unable to connect to a Samba share is that the share path specified in the smb.conf file does not exist or is not accessible by the Samba service. Samba does not create the underlying directory; it only maps the share name to a path. If the path is missing, permissions are wrong, or the filesystem is not mounted, the connection will fail with an error like 'NT_STATUS_OBJECT_PATH_NOT_FOUND'.

Exam trap

The trap here is that candidates often assume a Samba share failure is due to service status or permissions, but the LPIC-2 exam emphasizes verifying the underlying filesystem path and its mount state as a prerequisite for share connectivity.

How to eliminate wrong answers

Option A is wrong because if the Samba service were not running, the user would likely receive a 'connection refused' error or a timeout, not a share-specific failure; the question implies the user can attempt to connect but fails on the share. Option B is wrong because the user's inability to read the share is a permission issue that would typically occur after the share is successfully mounted or accessed, not at the connection stage; Samba first validates the path existence and accessibility before checking user permissions. Option C is wrong because Samba share names are limited to 255 characters in practice, and 'share2' is well within that limit; a name length issue would cause a configuration parsing error, not a connection failure.

57
Multi-Selectmedium

A Linux server running Samba as a domain member is experiencing slow authentication for users. Which two configuration changes are most likely to improve authentication performance?

Select 2 answers
A.Disable SMB signing by setting 'server signing = disabled'
B.Enable 'winbind offline logon = yes'
C.Set 'idmap config * : backend = tdb' to cache ID mappings locally
D.Change 'security = ADS' to 'security = user'
E.Set 'name resolve order = lmhosts host wins bcast'
AnswersB, C

Allows cached logon

Why this answer

Option B is correct because enabling 'winbind offline logon = yes' allows winbind to cache user credentials locally, so authentication can proceed without contacting the domain controller if it is temporarily unreachable, reducing latency for repeated logins. Option C is correct because setting 'idmap config * : backend = tdb' stores ID mappings (UID/GID to SID) in a local tdb database, avoiding repeated queries to the domain controller for mapping resolution, which directly improves authentication performance in a domain member setup.

Exam trap

The trap here is that candidates often confuse 'performance improvements' with 'security reductions' (like disabling SMB signing) or 'name resolution tweaks', when the actual bottleneck is typically the round-trip time to the domain controller for authentication and ID mapping lookups, which caching directly addresses.

58
MCQhard

A Samba server is configured as a classic PDC (Primary Domain Controller) for a legacy network. The administrator needs to add a new machine account for a client joining the domain. Which command accomplishes this?

A.samba-tool domain add machinename
B.smbpasswd -a -m MACHINENAME
C.net rpc join machinename
D.pdbedit -a -m MACHINENAME
AnswerB

The -m flag indicates a machine account.

Why this answer

In a classic Samba PDC (Primary Domain Controller) setup, machine accounts are stored in the `smbpasswd` file (or tdbsam) and are added using `smbpasswd -a -m MACHINENAME`. The `-m` flag specifically indicates a machine account, which appends a `$` to the name and sets the appropriate flags for domain membership. This command creates the machine trust account that the client uses to join the domain.

Exam trap

The trap here is that candidates confuse the classic Samba PDC (NT4-style) commands with Samba 4 AD DC commands, or misuse client-side join commands (`net rpc join`) as server-side machine account creation commands.

How to eliminate wrong answers

Option A is wrong because `samba-tool domain add` is a command for Samba 4 AD DC (Active Directory Domain Controller) domains, not for a classic Samba PDC (NT4-style domain). Option C is wrong because `net rpc join` is used on a client machine to join a domain, not on the server to add a machine account. Option D is wrong because `pdbedit -a -m MACHINENAME` would attempt to add a machine account using the pdbedit tool, but the correct syntax is `pdbedit -a -u MACHINENAME$` (with a trailing dollar sign) and the `-m` flag is not valid for pdbedit; `smbpasswd -a -m` is the proper command for classic PDCs.

59
MCQhard

Your company runs a Samba file server (version 4.15) in a mixed environment with Windows 10 and Linux clients. The server is part of an Active Directory domain. Recently, a new security policy requires that all SMB connections use SMB3 encryption. You have configured 'smb encrypt = required' in the [global] section of smb.conf and restarted smbd. However, Windows clients report that they cannot connect to the server, while Linux clients can connect using mount.cifs with the 'seal' option. You check smb.conf and verify that 'server min protocol = SMB3' is set. What is the most likely cause of the Windows clients' inability to connect?

A.The 'server min protocol = SMB3' should be 'SMB2' to allow Windows 10 to negotiate SMB3
B.Windows clients do not have SMB encryption enabled by default, so they reject the required encryption
C.The Samba server must be joined to the domain again after changing encryption settings
D.The 'smb encrypt' parameter is deprecated and should be replaced by 'server smb encrypt'
AnswerB

SMB encryption must be enabled on Windows client side.

Why this answer

Windows 10 clients do not enable SMB encryption by default; they require the client to request encryption, but when the server sets 'smb encrypt = required', the server demands encryption on all connections. Windows clients without explicit encryption configuration (e.g., via Group Policy or registry) will fail to connect because they do not negotiate SMB3 encryption automatically. Linux clients succeed because mount.cifs with the 'seal' option explicitly requests encryption, matching the server's requirement.

Exam trap

The trap here is that candidates assume Windows clients automatically support and negotiate SMB3 encryption when the server requires it, overlooking that Windows clients need explicit configuration to enable encryption.

How to eliminate wrong answers

Option A is wrong because 'server min protocol = SMB3' is correct for requiring SMB3; Windows 10 supports SMB3 natively, and setting it to SMB2 would allow SMB2 connections, which is not the goal. Option C is wrong because changing encryption settings does not affect domain membership; rejoining the domain is unnecessary and would not resolve the encryption negotiation issue. Option D is wrong because 'smb encrypt' is not deprecated in Samba 4.15; 'server smb encrypt' is not a valid parameter—the correct parameter is 'smb encrypt'.

60
MCQeasy

A company wants to use Samba to share files with Windows clients. Which service must be enabled in Samba to support Windows Active Directory domain membership?

A.nmbd
B.smbd
C.swat
D.winbind
AnswerD

Winbind allows Samba to use Windows AD for authentication and identity mapping.

Why this answer

Winbind (winbindd) is the Samba service that integrates with Windows Active Directory by resolving user and group information from the domain controller. It uses the Microsoft Active Directory authentication protocol (Kerberos) and LDAP to map Windows domain users to local Unix accounts, enabling domain membership and single sign-on.

Exam trap

The trap here is that candidates often confuse the core file-sharing service (smbd) with the domain integration service (winbind), assuming smbd alone handles AD membership because it manages shares.

How to eliminate wrong answers

Option A is wrong because nmbd handles NetBIOS name resolution and browsing, not Active Directory domain membership. Option B is wrong because smbd provides file and print sharing services but does not handle domain authentication or user/group resolution from AD. Option C is wrong because swat is a web-based administration tool for Samba configuration, not a runtime service for domain membership.

61
MCQmedium

A Samba server is configured to authenticate users against an Active Directory domain using winbind. After joining the domain, some users report that they cannot access shares, while others can. The administrator runs 'wbinfo -u' and sees a list of domain users. However, 'getent passwd' does not show domain users. Which configuration parameter is most likely missing or misconfigured in /etc/samba/smb.conf?

A.winbind enum users = yes
B.winbind use default domain = yes
C.winbind nested groups = yes
D.idmap config * : backend = tdb
AnswerA

This enables getent passwd to list domain users.

Why this answer

The `wbinfo -u` command lists domain users because it queries the winbind daemon directly, which has successfully joined the AD domain. However, `getent passwd` does not show domain users because the Name Service Switch (NSS) module for winbind is not configured to enumerate users. The parameter `winbind enum users = yes` in smb.conf tells winbind to provide user enumeration to NSS, allowing commands like `getent passwd` to return domain users.

Without this, the NSS winbind module will not list domain users, even though authentication may work for known users.

Exam trap

The trap here is that candidates assume `wbinfo -u` and `getent passwd` should behave identically, but they do not realize that `wbinfo` bypasses NSS and directly queries winbind, while `getent` relies on NSS configuration and the `winbind enum users` parameter.

How to eliminate wrong answers

Option B is wrong because `winbind use default domain = yes` controls whether usernames are prefixed with the domain name (e.g., DOMAIN\user vs. user), but it does not affect whether domain users appear in `getent passwd`; it only simplifies login names. Option C is wrong because `winbind nested groups = yes` enables recursive group membership resolution for nested AD groups, which is unrelated to user enumeration via NSS. Option D is wrong because `idmap config * : backend = tdb` sets the default ID mapping backend to a local tdb file, which is necessary for mapping SIDs to Unix UIDs/GIDs but does not control whether users are listed by `getent passwd`; enumeration is governed by the `winbind enum users` parameter.

62
MCQhard

A Samba server uses 'security = domain' with an NT4-style domain. After a domain controller outage, users cannot authenticate. Which configuration change would allow fallback to local authentication?

A.Set 'domain master = no'
B.Set 'security = user' and 'passdb backend = tdbsam'
C.Set 'local master = yes'
D.Set 'preferred master = no'
AnswerB

Correct; switches to local authentication mode.

Why this answer

When a Samba server is configured with 'security = domain', it relies on a remote NT4-style domain controller for authentication. If the domain controller is unavailable, users cannot authenticate because Samba has no local fallback. Changing to 'security = user' and setting 'passdb backend = tdbsam' switches Samba to authenticate users against its own local password database (tdbsam), allowing authentication even when the domain controller is down.

Exam trap

The trap here is that candidates confuse Samba's browsing roles (domain master, local master, preferred master) with authentication modes, assuming a browsing parameter can provide authentication fallback.

How to eliminate wrong answers

Option A is wrong because 'domain master = no' controls whether Samba participates in NetBIOS domain master browser elections, not authentication fallback. Option C is wrong because 'local master = yes' determines if Samba advertises itself as a local master browser, unrelated to authentication. Option D is wrong because 'preferred master = no' influences browser election preferences, not authentication behavior.

63
MCQhard

A Samba server is experiencing slow authentication for domain users. The logs show repeated winbind connections to the domain controllers. The administrator suspects that winbind is not caching credentials properly. Which parameter should be checked or increased to improve caching?

A.winbind rpc only
B.winbind offline logon
C.winbind cache time
D.winbind request timeout
AnswerC

This sets the number of seconds to cache authentication results.

Why this answer

The `winbind cache time` parameter controls how long winbindd caches user and group information retrieved from domain controllers. Increasing this value reduces the frequency of authentication requests to the DCs, improving performance. The default is 300 seconds; a higher value (e.g., 900 or 1800) can significantly reduce repeated connections.

Exam trap

The trap here is that candidates confuse `winbind offline logon` (which enables caching for offline scenarios) with `winbind cache time` (which controls how long cached data is considered valid), leading them to pick B instead of C.

How to eliminate wrong answers

Option A is wrong because `winbind rpc only` forces winbind to use only RPC (MS-RPC) for communication with domain controllers, which is slower and less efficient than using LDAP/Kerberos; it does not affect caching. Option B is wrong because `winbind offline logon` enables cached credentials for offline logon but does not control the duration or frequency of cache refreshes; it is about allowing logon when the DC is unreachable, not about reducing repeated connections. Option D is wrong because `winbind request timeout` sets the maximum time winbind waits for a response from a domain controller before timing out; it does not affect how long cached entries are kept.

64
Multi-Selecthard

Which THREE are valid values for the 'security' parameter in smb.conf? (Choose three.)

Select 3 answers
A.auto
B.ads
C.share
D.domain
E.user
AnswersB, D, E

Active Directory security mode.

Why this answer

Option B (ads) is correct because the 'security = ads' setting in smb.conf configures Samba to operate in Active Directory domain member mode, allowing it to join an Active Directory domain using Kerberos authentication and LDAP for identity resolution. This is a valid security mode for integrating Samba with Windows Active Directory environments.

Exam trap

The trap here is that candidates may confuse 'auto' with a valid automatic negotiation mode or assume 'share' is still valid, when in fact 'share' is deprecated and 'auto' was never a valid security setting in Samba.

65
MCQhard

A Samba server is configured as a domain member in an Active Directory environment. Users report that after changing their password on a Windows client, they cannot authenticate to Samba shares. The Samba server is using winbind and the 'idmap_ad' backend. What is the most likely cause?

A.The 'winbind offline logon' option is not enabled
B.Password changes are not replicated to the domain controller that Samba authenticates against
C.The winbind cache is outdated and needs to be cleared
D.The 'idmap backend' must be set to 'rid' instead of 'ad'
AnswerB

If the DC contacted hasn't received the updated password, authentication fails.

Why this answer

In an Active Directory domain member configuration, Samba authenticates against a specific domain controller (DC). When a user changes their password on a Windows client, the new password is initially written to the DC that processed the change. If the Samba server's winbind service is authenticating against a different DC that has not yet received the replicated password update, authentication will fail.

This is the most likely cause because password replication in AD is not instantaneous and depends on replication latency.

Exam trap

The trap here is that candidates often assume the issue is with local caching or ID mapping backends, when in fact the root cause is the asynchronous replication of password changes between domain controllers in a multi-DC environment.

How to eliminate wrong answers

Option A is wrong because 'winbind offline logon' controls cached credentials for offline access, not the replication of password changes between domain controllers. Option C is wrong because clearing the winbind cache would remove cached user/group mappings but would not fix a password mismatch caused by replication delay; the cache does not store passwords. Option D is wrong because the 'idmap backend' setting (ad vs. rid) affects how Unix IDs are mapped from AD attributes, not how password changes are replicated or authenticated.

66
MCQmedium

Refer to the exhibit. What does the output indicate about the user John Doe's access to the file report.txt?

A.The user has a lease lock.
B.The user has a read lock with no deny mode.
C.The file is opened for writing.
D.The user has an exclusive write lock.
AnswerB

Correct; DENY_NONE and RDONLY indicate a non-exclusive read lock.

Why this answer

The output shows that John Doe has a read lock on report.txt with no deny mode, meaning other processes can still read the file while he holds the lock. This is indicated by the lock type 'R' (read) and the absence of a deny mode (deny mode 'NONE'). In Samba, a read lock with no deny mode allows concurrent read access but prevents write access from other clients.

Exam trap

LPI often tests the distinction between lock type and deny mode, where candidates confuse a read lock with no deny mode for an exclusive lock or assume any lock prevents all access, but the deny mode specifically controls what other clients can do.

How to eliminate wrong answers

Option A is wrong because a 'lease lock' is a different concept in Samba (used for oplocks/leases), not indicated by the output which shows a standard read lock. Option C is wrong because the file is opened for reading, not writing; the output shows 'R' for read lock, and the open mode would be 'r' or similar, not write. Option D is wrong because an exclusive write lock would be shown as 'W' or 'DENY_WRITE' with exclusive access, but the output shows a read lock with no deny mode, which is not exclusive.

67
Multi-Selectmedium

An administrator needs to configure Samba to allow guest access to a share. Which two parameters must be set?

Select 2 answers
A.security = share
B.guest account = nobody
C.guest ok = yes in the share definition
D.map to guest = Bad User in the [global] section
AnswersC, D

This enables guest access for the share.

Why this answer

Option C is correct because setting `guest ok = yes` in the share definition explicitly allows guest (anonymous) access to that specific Samba share. Without this parameter, the share will require authentication even if other guest-related settings are configured globally.

Exam trap

The trap here is that candidates often think `security = share` alone enables guest access, but that parameter is obsolete and does not actually allow anonymous connections without `guest ok = yes` and `map to guest = Bad User`.

68
MCQeasy

A user wants to mount a Samba share on a Linux client using the command line. Which utility is used for that purpose?

A.mount.cifs
B.mount.smb
C.mount -t smbfs
D.smbclient
AnswerA

Correct; mount.cifs is the standard tool for mounting Samba shares.

Why this answer

The correct utility is mount.cifs, which is part of the cifs-utils package. It mounts Samba (SMB/CIFS) shares on Linux clients by using the Common Internet File System (CIFS) protocol, the modern implementation of SMB. The mount command with -t cifs internally calls mount.cifs, making it the standard tool for this purpose.

Exam trap

The trap here is that candidates confuse the deprecated smbfs filesystem type (mount -t smbfs) with the current cifs implementation, or they mistake smbclient (an interactive tool) for a mounting utility.

How to eliminate wrong answers

Option B (mount.smb) is wrong because no such standard utility exists; the correct command is mount.cifs, not mount.smb. Option C (mount -t smbfs) is wrong because smbfs is an older, deprecated filesystem type that was replaced by cifs in the Linux kernel; modern distributions require -t cifs instead. Option D (smbclient) is wrong because it is an FTP-like client for interacting with Samba shares interactively or for file transfers, not for mounting a share as a local filesystem.

69
MCQhard

A user 'bob' is unable to save changes to report.doc. Based on the exhibit, what is the most likely reason?

A.The oplock is set to NONE causing conflicts.
B.Bob does not have permission on the filesystem.
C.Alice has the file open with a deny-write lock.
D.The share is configured as read-only.
AnswerC

DENY_WRITE mode prevents other users from opening the file with write access.

Why this answer

Option C is correct because the exhibit shows that Alice has the file open with a deny-write lock, which prevents any other user (including Bob) from writing to the file. In Samba, this is enforced by the share mode locking mechanism, where a deny-write share access request from Alice blocks subsequent write attempts by Bob until Alice closes the file.

Exam trap

The trap here is that candidates often confuse filesystem permissions (like chmod or ACLs) with SMB share-level locks, assuming a permission error when the real issue is a file lock held by another user.

How to eliminate wrong answers

Option A is wrong because oplocks (opportunistic locks) are a client-side caching optimization that can improve performance, but they do not directly prevent a user from saving changes; an oplock set to NONE would simply disable caching, not cause a conflict that blocks writes. Option B is wrong because the exhibit does not indicate any filesystem permission issue; Bob's inability to save is due to a file lock, not a lack of read/write permissions on the underlying filesystem. Option D is wrong because if the share were configured as read-only, Bob would not be able to open the file for writing at all, but the exhibit shows Bob is attempting to save changes, implying the share allows writes in general; the issue is a specific lock held by Alice.

70
MCQeasy

After modifying /etc/samba/smb.conf, an administrator runs a command to validate the configuration. Which command is correct?

A.testparm
B.smbpasswd
C.smbcontrol
D.samba-tool
AnswerA

testparm validates the smb.conf file for syntax errors.

Why this answer

The correct command is `testparm`, which is specifically designed to validate the syntax and configuration of the `/etc/samba/smb.conf` file. It checks for errors in parameters, missing sections, and logical inconsistencies without restarting the Samba services, making it the standard tool for configuration verification.

Exam trap

The trap here is that candidates may confuse `testparm` with `smbcontrol reload-config` or `samba-tool`, thinking that reloading or using a domain tool also validates the configuration, but only `testparm` performs a dedicated syntax check without affecting running services.

How to eliminate wrong answers

Option B is wrong because `smbpasswd` is used to manage Samba user passwords (encrypting and storing them in the `smbpasswd` file or LDAP), not to validate the `smb.conf` configuration. Option C is wrong because `smbcontrol` is used to send control messages to running Samba daemons (e.g., reload configuration, shutdown), but it does not perform a syntax or validity check of the configuration file itself. Option D is wrong because `samba-tool` is a comprehensive administration tool for Samba 4 Active Directory domains (managing users, DNS, replication), not a utility for validating the basic `smb.conf` file syntax.

71
MCQmedium

Given the smb.conf exhibit, which share(s) allow write access to user 'alice' who is a member of the 'staff' group?

A.share1 and share3
B.share3 only
C.share1 only
D.share2 only
AnswerC

share1 has read only = no and alice is in valid users. share2 is read only. share3 also allows write but is guest-oriented; however, alice as authenticated user can also write, but the question likely expects share1.

Why this answer

Option C is correct because in the smb.conf exhibit, share1 has 'write list = @staff' which grants write access to all members of the staff group, including user alice. share2 has 'read only = yes' and no write list, so it is read-only for everyone. share3 has 'valid users = bob' and 'write list = bob', so only bob can write; alice is not listed and is not in the bob group, so she has no write access.

Exam trap

The trap here is that candidates may assume that being a member of the 'staff' group grants write access to all shares, but they must check each share's specific 'write list' and 'valid users' directives, as share3 explicitly restricts access to bob only.

How to eliminate wrong answers

Option A is wrong because share3 does not allow write access to alice; share3's 'valid users = bob' and 'write list = bob' restrict access exclusively to bob, and alice is not bob. Option B is wrong because share3 only does not allow write access to alice for the same reason. Option D is wrong because share2 only has 'read only = yes' with no write list, making it read-only for all users, including alice.

72
MCQeasy

A small office uses a Linux server running Samba to share documents. The share is accessible but very slow, especially when writing large files. The network is 1 Gbps, and disk performance is fine. The smb.conf has default settings. Which change is most likely to improve write performance?

A.Set 'write cache size = 262144'.
B.Set 'strict sync = yes'.
C.Set 'use sendfile = yes'.
D.Set 'socket options = TCP_NODELAY IPTOS_LOWDELAY'.
AnswerA

This enables write caching, improving write throughput.

Why this answer

The 'write cache size' option enables a per-file write cache in Samba that buffers write operations before committing them to disk. With default settings, Samba may perform synchronous writes for each chunk, causing severe slowdowns on large file transfers. Setting a write cache size (e.g., 262144 bytes) allows Samba to aggregate writes, dramatically improving throughput on a fast network with adequate disk performance.

Exam trap

The trap here is that candidates often confuse 'write cache size' with client-side caching or misattribute performance issues to network tuning, overlooking that Samba's default write behavior is synchronous and unbuffered.

How to eliminate wrong answers

Option B is wrong because 'strict sync = yes' forces Samba to honor synchronous write requests from clients (e.g., via O_SYNC), which actually degrades write performance by ensuring every write is flushed to disk immediately. Option C is wrong because 'use sendfile = yes' optimizes read operations by allowing zero-copy data transfer from disk to network, but it does not affect write performance. Option D is wrong because 'socket options = TCP_NODELAY IPTOS_LOWDELAY' reduces latency for small packets and prioritizes traffic, but it does not address the buffering of write data; it may even hurt bulk throughput by disabling Nagle's algorithm.

73
Multi-Selectmedium

Which THREE of the following parameters can improve Samba file transfer performance under heavy load?

Select 3 answers
A.strict allocate = Yes
B.oplocks = Yes
C.write raw = Yes
D.socket options = TCP_NODELAY IPTOS_LOWDELAY
E.read raw = Yes
AnswersC, D, E

Enables large write requests for improved throughput.

Why this answer

Option C is correct because enabling 'write raw = Yes' allows Samba to use the raw write SMB protocol, which sends larger write requests without waiting for intermediate acknowledgments, reducing protocol overhead and improving throughput under heavy load. This setting is particularly effective when combined with other performance tuning parameters.

Exam trap

The trap here is that candidates often confuse 'oplocks' or 'strict allocate' as performance boosters for raw throughput, when in fact they serve different purposes (caching and space allocation) and can even degrade performance under heavy load.

74
Multi-Selecteasy

A Linux server provides file sharing to Windows clients via Samba. The administrator notices that Windows clients are unable to resolve the NetBIOS name of the server. Which two services are essential for NetBIOS name resolution? (Choose two.)

Select 2 answers
A.DNS
B.nmbd
C.DHCP
D.winbindd
E.smbd
AnswersB, E

nmbd handles NetBIOS name services (NBNS).

Why this answer

B is correct because nmbd is the Samba NetBIOS name server daemon that handles NetBIOS name resolution by listening for and responding to NetBIOS name queries on UDP ports 137 and 138. Without nmbd running, Windows clients cannot resolve the server's NetBIOS name to an IP address, which is required for SMB/CIFS communication over NetBIOS.

Exam trap

The trap here is that candidates often confuse smbd (the file sharing daemon) with nmbd (the name resolution daemon), assuming smbd alone is sufficient for NetBIOS name resolution, or they incorrectly think DNS or DHCP are involved in NetBIOS name resolution.

75
Multi-Selecthard

Which TWO conditions are most likely to cause 'NT_STATUS_ACCESS_DENIED' when accessing a Samba share?

Select 2 answers
A.Lmhosts file misconfiguration
B.SMB protocol version mismatch
C.Linux filesystem permissions disallow write
D.Share permissions set to read-only for the user
E.Windows firewall blocking port 445
AnswersC, D

Denies write access at the filesystem level.

Why this answer

Option C is correct because Samba ultimately relies on the underlying Linux filesystem permissions to enforce write access. Even if Samba share permissions allow writing, if the Linux user or group mapped to the Samba session lacks write permission on the file or directory (e.g., due to chmod or ACL settings), the kernel will deny the write operation, resulting in NT_STATUS_ACCESS_DENIED. This is a common misconfiguration where administrators set share-level permissions correctly but forget to adjust the filesystem ACLs.

Exam trap

The trap here is that candidates often assume Samba's share-level permissions are the sole gatekeeper, forgetting that Linux filesystem permissions are enforced independently and can override share-level settings.

Page 1 of 2 · 95 questions totalNext →

Ready to test yourself?

Try a timed practice session using only File Sharing and Samba questions.