CCNA File Sharing and Samba Questions

20 of 95 questions · Page 2/2 · File Sharing and Samba · Answers revealed

76
MCQhard

A Samba server is configured with 'vfs objects = recycle' to implement a recycle bin. After some time, users notice that deleted files are not appearing in the recycle bin. Which parameter is likely misconfigured?

A.recycle:maxsize
B.recycle:keeptree
C.recycle:repository
D.recycle:versions
AnswerC

Correct; if the repository path is invalid or missing, files are not moved.

Why this answer

The `vfs objects = recycle` module requires the `recycle:repository` parameter to specify the directory where deleted files should be moved. If this parameter is missing or misconfigured, the recycle bin will not function, and deleted files will be permanently removed instead of being stored in the recycle repository.

Exam trap

The trap here is that candidates often confuse the purpose of `recycle:maxsize` or `recycle:versions` with the core requirement of defining the repository path, leading them to overlook the mandatory `recycle:repository` parameter.

How to eliminate wrong answers

Option A is wrong because `recycle:maxsize` limits the maximum size of files that can be recycled, but if it is misconfigured, files exceeding the limit would be permanently deleted, not that no files appear at all. Option B is wrong because `recycle:keeptree` preserves the directory structure within the recycle repository; its misconfiguration would affect the organization of recycled files, not their absence. Option D is wrong because `recycle:versions` controls whether to keep multiple versions of files with the same name; misconfiguration would affect versioning behavior, not the complete failure to recycle files.

77
MCQeasy

A new user needs access to a Samba share. The administrator adds the user to the system with `adduser alice` and then sets up a Samba password. Which command is used to set the Samba password?

A.passwd -a alice
B.smbpasswd -a alice
C.pdbedit -a -u alice
D.net ads user add alice
AnswerB

-a adds a new Samba user and prompts for a password.

Why this answer

The correct command is `smbpasswd -a alice`. This command adds a new user to the Samba password database and sets their initial Samba password. The `-a` flag specifically indicates that the user should be added to the local Samba user database (smbpasswd file or tdbsam), which is required before the user can authenticate to Samba shares.

Exam trap

The trap here is that candidates confuse the Linux system password command (`passwd`) with the Samba-specific password command (`smbpasswd`), or mistakenly think `pdbedit` is the primary tool for setting a password interactively, when in fact `pdbedit` is more for managing the database entries and `smbpasswd` is the standard interactive tool for setting passwords.

How to eliminate wrong answers

Option A is wrong because `passwd -a alice` is not a valid command; `passwd` is used to change local Linux system passwords, not Samba passwords, and the `-a` flag does not exist for `passwd`. Option C is wrong because `pdbedit -a -u alice` is used to add or modify a user in the Samba password database, but it does not set the password interactively; it requires a separate `-t` option or a password hash, and is typically used for bulk or scripted operations, not for initial password assignment. Option D is wrong because `net ads user add alice` is used to add a user to an Active Directory domain, not to set a Samba password for a local Samba user; it is part of the `net ads` tool for domain integration.

78
MCQeasy

What is the purpose of the 'idmap config * : backend = tdb2' line?

A.It sets the default identity mapping backend to tdb2.
B.It specifies the security mode as user.
C.It defines the default domain for Samba.
D.It enables the winbind cache.
AnswerA

The backend for the * (default) domain is set to tdb2.

Why this answer

The 'idmap config * : backend = tdb2' line in Samba's smb.conf configures the default identity mapping backend for all domains not explicitly specified. The asterisk (*) acts as a wildcard representing any domain, and 'tdb2' is a high-performance, clustered-aware database backend that stores mappings between Windows SIDs and Unix UIDs/GIDs. This ensures that when a user or group from an unspecified domain is encountered, Samba uses tdb2 to manage the ID mapping, making option A correct.

Exam trap

The trap here is that candidates often confuse the wildcard '*' in idmap config with a domain-specific setting, thinking it applies only to a domain named '*', or they mistakenly associate it with security modes or domain definitions, rather than recognizing it as the default backend for all unspecified domains.

How to eliminate wrong answers

Option B is wrong because 'idmap config' lines are unrelated to security modes; the security mode (e.g., user, ads, domain) is set via the 'security' parameter in the [global] section, not through identity mapping configuration. Option C is wrong because defining the default domain for Samba is done with the 'workgroup' parameter or 'realm' for Active Directory, not with an idmap configuration line. Option D is wrong because enabling the winbind cache is controlled by parameters like 'winbind cache time' or 'winbind enum users/groups', not by the idmap backend setting.

79
Multi-Selecthard

Which THREE statements about Samba's 'net' command are true? (Choose three.)

Select 3 answers
A.net ads join joins the server to an Active Directory domain
B.net conf drop drops all database connections
C.net usershare add creates a user-defined share
D.net rpc info displays domain information from a Windows NT4-style domain
E.net share lists shares on the local Samba server
AnswersA, C, D

Correct usage for AD join.

Why this answer

Option A is correct because 'net ads join' is the Samba command used to join a Linux server to an Active Directory domain, leveraging the Kerberos and LDAP protocols to authenticate and register the server as a domain member. This is a core function for integrating Samba with modern Windows domains.

Exam trap

LPI often tests the distinction between 'net share' (remote share listing via RPC) and 'net usershare list' (local user-defined shares), leading candidates to incorrectly assume 'net share' works locally.

80
MCQhard

A Samba server is configured as a print server. Clients running Windows 10 report that printer drivers cannot be uploaded. The relevant smb.conf section is: [printers] comment = All Printers path = /var/spool/samba browseable = no printable = yes What is the most likely cause?

A.The 'printable = yes' directive is missing
B.The 'path' is incorrectly set to /var/spool/samba
C.The 'guest ok = yes' directive is missing
D.The 'browseable = no' directive prevents driver discovery
AnswerC

Needed for driver upload

Why this answer

The 'printable = yes' directive is present, so option A is not the issue. The 'path' /var/spool/samba is the standard spool directory for Samba print jobs, so option B is incorrect. The 'browseable = no' only hides the share from browsing, but does not prevent driver uploads; Windows clients can still connect directly.

The most likely cause is that 'guest ok = yes' is missing, because by default Samba requires authentication for printer shares, and Windows 10 clients attempting to upload drivers often do so under the guest account (or without valid credentials) unless the share explicitly allows guest access. Without 'guest ok = yes', the upload is denied.

Exam trap

The trap here is that candidates mistakenly think 'browseable = no' prevents driver discovery, when in fact Windows driver uploads rely on direct UNC connections (e.g., \\server\printername) and are independent of browseability.

How to eliminate wrong answers

Option A is wrong because 'printable = yes' is already present in the configuration, and it is required for a print share; its absence would prevent printing, not driver uploads. Option B is wrong because /var/spool/samba is the correct default spool directory for Samba print jobs; changing it would not affect driver uploads. Option D is wrong because 'browseable = no' only hides the share from network browsing (e.g., in Windows Explorer), but does not prevent Windows clients from connecting directly via the printer path or uploading drivers; driver discovery and upload use the printer's UNC path, not browsing.

81
MCQmedium

An administrator wants to restrict access to a Samba share based on client IP addresses. Which parameter in the [share] section of smb.conf should be used?

A.hosts allow
B.allow hosts
C.browseable
D.valid users
AnswerA

'hosts allow' defines IP-based access control per share.

Why this answer

The `hosts allow` parameter in the `[share]` section of `smb.conf` restricts access to the Samba share based on client IP addresses or subnets. It is the correct directive for IP-based access control, allowing the administrator to specify which hosts are permitted to connect. This parameter is evaluated before authentication, blocking unauthorized IPs at the connection level.

Exam trap

The trap here is that candidates confuse the parameter order (`allow hosts` vs `hosts allow`) or mistakenly think `valid users` can filter by IP, when it only filters by authenticated user identity.

How to eliminate wrong answers

Option B is wrong because `allow hosts` is not a valid Samba parameter; the correct syntax is `hosts allow` (with the keyword order reversed). Option C is wrong because `browseable` controls whether the share appears in network browse lists, not IP-based access restrictions. Option D is wrong because `valid users` restricts access based on usernames or groups, not client IP addresses.

82
MCQhard

An enterprise environment uses Samba as an Active Directory domain controller using Samba 4.11. The administrator needs to configure a read-only domain controller (RODC) for a remote branch office. Which of the following steps is correct?

A.On the RODC server, run 'samba-tool domain join EXAMPLE.COM member' and then promote to RODC.
B.Install Samba on the RODC server, then run 'samba-tool domain provision --domain=EXAMPLE --adminpass=Pa$$w0rd' on the RODC.
C.On the existing DC, run 'samba-tool domain rodc create rodc-name' and then on the RODC server join with 'samba-tool domain join EXAMPLE.COM RODC'.
D.Install Samba on the RODC server, then run 'samba-tool domain join EXAMPLE.COM RODC -UAdministrator'.
AnswerC

This correctly pre-creates the RODC account and then joins.

Why this answer

Option C is correct because Samba 4.11 requires the RODC computer account to be pre-created on the existing DC using 'samba-tool domain rodc create', which sets up the necessary krbtgt account and replication metadata. The RODC server then joins the domain as a read-only domain controller with 'samba-tool domain join EXAMPLE.COM RODC', which authenticates against the pre-created account and configures the local Samba instance as a read-only replica.

Exam trap

The trap here is that candidates often assume a simple domain join with the RODC role flag is sufficient, overlooking the mandatory pre-creation step on the existing DC that Samba requires to establish the RODC's unique security context.

How to eliminate wrong answers

Option A is wrong because joining as a 'member' creates a domain member server, not a domain controller; promoting it to RODC afterward is not a supported workflow in Samba 4.11 and would lack the pre-created RODC account. Option B is wrong because 'samba-tool domain provision' creates a new domain, which is incorrect for adding a RODC to an existing domain; it would overwrite the domain configuration and cause a conflict. Option D is wrong because while the join command syntax is close, it omits the critical prerequisite step of pre-creating the RODC account on the existing DC; without this, the join will fail as Samba requires the RODC computer object and associated krbtgt account to exist beforehand.

83
MCQmedium

A Samba server is configured as above. Users alice and bob have local system accounts but neither can connect to the share. What is the most likely cause?

A.The share path /srv/share does not exist or has incorrect permissions.
B.The parameter 'read only = no' is misspelled; it should be 'writable = yes'.
C.The users have not been added to the Samba password database.
D.The valid users list must use group names with '@' prefix, not individual names.
AnswerC

Users must be added with smbpasswd -a or pdbedit -a to enable Samba authentication.

Why this answer

Option B is correct. With security = user and passdb backend = tdbsam, each user must be added to the Samba password database using smbpasswd -a or pdbedit -a. Without this, authentication fails even though the system accounts exist.

Option A is possible but less likely given typical troubleshooting. Option C is incorrect because individual user names are valid in valid users. Option D is incorrect because 'read only = no' is a valid parameter.

84
MCQhard

A Samba server is configured to store NT ACLs on a Linux filesystem that does not support them natively. Which VFS module should be used to map NT ACLs to POSIX ACLs?

A.vfs objects = recycle
B.vfs objects = full_audit
C.vfs objects = streams_xattr
D.vfs objects = acl_xattr
AnswerD

acl_xattr stores NT ACLs in xattr and maps them to POSIX ACLs.

Why this answer

Option D is correct because the `acl_xattr` VFS module is specifically designed to store NT ACLs in extended attributes on a Linux filesystem that lacks native NT ACL support. When Samba is configured with `vfs objects = acl_xattr`, it maps Windows NT ACLs to POSIX ACLs by serializing the NT ACL into the `user.NTACL` extended attribute, allowing Samba to enforce Windows-style permissions even on filesystems like ext4 or XFS that only support POSIX ACLs natively.

Exam trap

The trap here is that candidates often confuse the `streams_xattr` module (which handles alternate data streams) with the `acl_xattr` module, because both use extended attributes, but only `acl_xattr` maps NT ACLs to POSIX ACLs.

How to eliminate wrong answers

Option A is wrong because the `recycle` VFS module is used to implement a recycle bin for deleted files, not for ACL mapping. Option B is wrong because the `full_audit` VFS module is used for logging Samba operations, not for storing or mapping NT ACLs. Option C is wrong because the `streams_xattr` VFS module is used to support NTFS alternate data streams by storing them in extended attributes, but it does not handle NT ACL to POSIX ACL mapping.

85
MCQmedium

A company runs a mixed Linux/Windows environment. The Samba server (version 4.15) is configured as a domain member using 'security = ADS'. Recently, the IT team enabled 'winbind use default domain = yes' to simplify logins. After the change, users report that they can no longer access Samba shares when authenticating with just their username (e.g., 'jdoe') instead of 'DOMAIN\jdoe'. However, authentication using the full domain-qualified name still works. The smb.conf includes: [global] security = ADS workgroup = MYDOM realm = MYDOM.LOCAL winbind use default domain = yes winbind separator = / Users are in the 'Domain Users' group and the share configuration is: [share] path = /srv/share valid users = @"MYDOM\domain users" Which of the following is the most likely cause and solution?

A.Change 'winbind separator' to backslash or remove it to default to backslash
B.Disable 'winbind use default domain' to force full domain qualification
C.The valid users line uses quotes around the group name; remove the quotes
D.Enable 'winbind offline logon' to allow cached credentials
AnswerA

The separator mismatch causes authentication failures

Why this answer

Option A is correct because when 'winbind use default domain = yes' is set, Samba expects the winbind separator to be a backslash (\), not a forward slash (/). With a forward slash separator, the username 'jdoe' is not correctly mapped to 'MYDOM\jdoe' during authentication, causing access failures. Changing the separator to backslash (or removing it to default to backslash) resolves the issue by aligning with Samba's internal handling of default domain usernames.

Exam trap

The trap here is that candidates often assume the forward slash separator is interchangeable with backslash in Samba, but in the context of 'winbind use default domain = yes', only backslash works correctly for default domain username resolution.

How to eliminate wrong answers

Option B is wrong because disabling 'winbind use default domain' would force users to always use full domain qualification (e.g., 'MYDOM\jdoe'), which contradicts the goal of simplifying logins and does not fix the separator mismatch. Option C is wrong because the quotes around the group name in the valid users line are syntactically correct in Samba; they do not cause authentication failures, and removing them would not resolve the separator issue. Option D is wrong because 'winbind offline logon' is used for caching credentials for offline access, not for fixing username mapping or separator problems in a domain member configuration.

86
MCQmedium

A Samba share requires that users must provide valid credentials, but the share should be accessible to any authenticated user without further restrictions. Which security mode should be used?

A.security = domain
B.security = server
C.security = share
D.security = user
AnswerD

This requires valid credentials for each connection.

Why this answer

The `security = user` mode requires each user to provide valid credentials (username and password) to access the share, but once authenticated, the share is accessible without further per-share restrictions. This matches the requirement exactly: authentication is mandatory, but authorization is not granularly controlled per share beyond the user's identity.

Exam trap

The trap here is that candidates confuse 'authentication' with 'authorization' and assume `security = share` is correct because it sounds like 'sharing without restrictions,' but `security = share` actually bypasses user-level authentication entirely.

How to eliminate wrong answers

Option A is wrong because `security = domain` requires the Samba server to be a member of a Windows domain and relies on a domain controller for authentication, which is overkill and not necessary for a simple authenticated share without further restrictions. Option B is wrong because `security = server` is deprecated and delegates authentication to another SMB server, which adds complexity and is not the standard way to require user credentials for a local share. Option C is wrong because `security = share` allows access without per-user authentication (often using a guest or anonymous connection), which directly contradicts the requirement that users must provide valid credentials.

87
Multi-Selectmedium

An administrator is setting up a Samba share for a project team. The team members are in different UNIX groups. Which three options can be used to restrict access to specific users or groups? (Choose three.)

Select 3 answers
A.read list
B.write list
C.force group
D.invalid users
E.valid users
AnswersA, D, E

Specifies users and groups that have read-only access.

Why this answer

Option A (read list) is correct because it explicitly restricts read-only access to a list of users or groups, allowing the administrator to control which users can only read files in the Samba share. This is a direct Samba parameter that limits access to specific users or groups, even if they are in different UNIX groups.

Exam trap

The trap here is that candidates often confuse 'write list' as a restriction mechanism, but it actually grants write access, not restricts it, while 'force group' is a red herring that deals with ownership, not access control.

88
Multi-Selecteasy

Which THREE commands are specifically used to diagnose Samba issues?

Select 3 answers
A.smbstatus
B.testparm
C.smbtree
D.netstat
E.ping
AnswersA, B, C

Shows current Samba connections and locked files.

Why this answer

smbstatus is correct because it displays the current Samba connections, including active SMB sessions, open files, and locked files, which is essential for diagnosing who is accessing Samba shares and what resources are in use. It queries the Samba internal state via the smbd daemon, providing real-time diagnostic information about connected clients.

Exam trap

The trap here is that candidates may confuse general network troubleshooting tools (like netstat or ping) with Samba-specific diagnostic commands, assuming any network tool can diagnose Samba issues, but only commands that directly interact with Samba daemons or its configuration are valid for this purpose.

89
MCQhard

A Samba server configured as an Active Directory domain member is unable to authenticate users from the domain. The administrator verifies that DNS resolution works, but `wbinfo -u` returns no output. What is the most likely cause?

A.The smb.conf file is missing the 'idmap config' lines.
B.The winbind service is not running.
C.The Kerberos ticket is expired.
D.The system clock is not synchronized with the domain controller.
AnswerB

If winbind is not running, `wbinfo -u` cannot retrieve domain users.

Why this answer

The `wbinfo -u` command queries the winbind service to list domain users. If it returns no output, the most likely cause is that the winbind service is not running, as it is responsible for resolving Windows domain users and groups on a Samba member server. Without winbind, Samba cannot authenticate domain users even if DNS and Kerberos are working correctly.

Exam trap

The trap here is that candidates assume DNS or Kerberos issues are the root cause because they are common in domain authentication problems, but the specific symptom of `wbinfo -u` returning no output directly points to the winbind service not running, not to higher-layer protocol failures.

How to eliminate wrong answers

Option A is wrong because missing 'idmap config' lines in smb.conf would cause issues with mapping domain users to UIDs/GIDs, but `wbinfo -u` would still return usernames if winbind is running and can contact the domain controller. Option C is wrong because an expired Kerberos ticket would cause authentication failures (e.g., 'kinit' errors), but `wbinfo -u` does not rely on a cached TGT; it uses the machine account credentials via winbind. Option D is wrong because clock skew with the domain controller would cause Kerberos authentication failures, but `wbinfo -u` would still work if winbind is running and the clock difference is within default tolerances (typically 5 minutes).

90
MCQmedium

A user in group staff (but not admin) tries to write to the share. What is the most likely error?

A.NT_STATUS_BAD_NETWORK_NAME
B.NT_STATUS_ACCESS_DENIED
C.Connection successful but cannot write
D.NT_STATUS_OBJECT_NAME_NOT_FOUND
AnswerC

The user can connect (valid includes staff) but write fails due to read only and no write list.

Why this answer

Option C is correct because the user is in group 'staff' but not 'admin', and the Samba share configuration likely has 'write list = @admin' or similar, restricting write access to the admin group. The connection succeeds (the share is visible and readable), but the write operation fails silently or returns a permission error at the filesystem level, not a network-level error. This matches the scenario where authentication passes but authorization for writing fails.

Exam trap

The trap here is that candidates confuse network-level errors (bad network name, object not found) with authorization errors, assuming any failure to write must produce a specific NT_STATUS code, when in practice Samba often returns a generic 'cannot write' message at the client level.

How to eliminate wrong answers

Option A is wrong because NT_STATUS_BAD_NETWORK_NAME indicates the share name itself is invalid or not found, which would prevent any connection, not just write access. Option B is wrong because NT_STATUS_ACCESS_DENIED is a generic error that could occur, but in Samba, when a user can connect but lacks write permissions, the client often reports 'cannot write' rather than a distinct NT_STATUS_ACCESS_DENIED; the question specifies 'most likely error' based on typical Samba behavior. Option D is wrong because NT_STATUS_OBJECT_NAME_NOT_FOUND means a specific file or directory within the share is missing, not that the user lacks write permission to the share root.

91
MCQhard

A user alice is connected to the 'data' share via smbd, but a file is locked. Which command can forcibly close the file?

A.smbpasswd -L -e alice
B.smbcontrol smbd close-share data
C.systemctl restart nmbd
D.kill -9 $(pgrep smbd)
AnswerB

smbcontrol can interact with smbd to close a share.

Why this answer

Option B is correct because `smbcontrol smbd close-share data` sends a message to the smbd process to forcibly close all open files on the 'data' share, releasing any locks held by users like alice. This command directly targets the Samba daemon's internal state without disrupting the entire service or other shares.

Exam trap

The trap here is that candidates may confuse `smbcontrol` with other Samba utilities or think that restarting the entire Samba service (nmbd or smbd) is the only way to clear locks, overlooking the targeted `close-share` command.

How to eliminate wrong answers

Option A is wrong because `smbpasswd -L -e alice` enables a local Samba user account but does not affect file locks or close open files. Option C is wrong because `systemctl restart nmbd` restarts the NetBIOS name service daemon, which handles name resolution, not file locking or share connections. Option D is wrong because `kill -9 $(pgrep smbd)` forcefully terminates all smbd processes, which would close all files but also disconnect all users and disrupt Samba services, whereas the question asks for a command that forcibly closes a specific file without unnecessary disruption.

92
Multi-Selecteasy

An administrator wants to configure Samba to allow only specific users to access a share. Which TWO configuration parameters in smb.conf can be used to restrict access based on usernames?

Select 2 answers
A.hosts allow
B.invalid users
C.write list
D.valid users
E.read list
AnswersB, D

Specifies which users are denied access to the share.

Why this answer

Option B (invalid users) is correct because it explicitly lists usernames that are denied access to a share, overriding any other access controls. Option D (valid users) is correct because it restricts access to only the specified usernames, denying all others. Both parameters operate at the Samba share level and directly filter based on usernames.

Exam trap

The trap here is that candidates often confuse 'valid users' and 'invalid users' with access control lists (ACLs) or think they only affect write permissions, when in fact they control all access (read and write) to the share.

93
MCQmedium

A Samba server provides printer sharing using CUPS. Which three global parameters are essential for CUPS integration? (Select THREE)

A.printing = cups
B.cups server = localhost
C.printcap name = cups
D.load printers = yes
E.cups options = "raw"
AnswerA, C, D

Specifies CUPS as the printing system.

Why this answer

Option A is correct because the `printing = cups` parameter explicitly tells Samba to use CUPS as its printing subsystem, enabling communication between Samba and CUPS via the CUPS API. This is essential for Samba to send print jobs to CUPS-managed printers and to retrieve printer information from CUPS.

Exam trap

The trap here is that candidates often assume `cups server = localhost` is required for local CUPS integration, but it is actually the default and only needed for remote CUPS servers, while `cups options = "raw"` is a common but non-essential tuning parameter, not a core requirement.

How to eliminate wrong answers

Option B is wrong because `cups server = localhost` is not a required global parameter; Samba defaults to connecting to CUPS on localhost, and this setting is only needed if CUPS runs on a different host. Option E is wrong because `cups options = "raw"` is not a global parameter for basic CUPS integration; it is an optional per-printer or global setting used to bypass CUPS filtering (e.g., for sending raw data to printers), and it is not essential for enabling CUPS support.

94
MCQhard

A company is migrating from a workgroup environment to an Active Directory domain. The Samba server is already configured as a domain member using winbind. The administrator wants to ensure that files created by domain users on the Samba server are owned by the corresponding UNIX user accounts derived from the domain. Which idmap backend and configuration is recommended for this purpose?

A.idmap config * : backend = ad
B.idmap config * : backend = tdb
C.idmap config * : backend = autorid
D.idmap config * : backend = rid
AnswerD

This derives UIDs from RIDs for consistent mapping.

Why this answer

Option D is correct because the 'rid' backend uses the RID of domain users to generate consistent UNIX IDs without a mapping database, which is simple and common. Option A is wrong because 'tdb' is for local mapping, not consistent across machines. Option B is wrong because 'ad' requires RFC2307 schema in AD.

Option C is wrong because 'autorid' is for multiple domains but may not provide consistent IDs.

95
MCQhard

A Samba server is configured with 'security = ads' and joined to an Active Directory domain. Users can authenticate but cannot access shares. The smb.conf includes 'winbind use default domain = yes'. What could be the problem?

A.The 'winbind use default domain' option should be 'no'
B.The 'idmap backend' is not configured
C.The Samba server's time is not synchronized with the domain controller
D.The 'valid users' parameter uses domain prefix while default domain is set
AnswerD

If valid users expects 'DOMAIN\user' but winbind strips the domain, authentication fails.

Why this answer

When 'winbind use default domain = yes' is set, Winbind strips the domain prefix from usernames, so users authenticate as 'username' instead of 'DOMAIN\username'. If the 'valid users' parameter in a share definition explicitly uses the domain prefix (e.g., 'valid users = DOMAIN\username'), the stripped username will not match, and access is denied. This mismatch is the most direct cause of authentication succeeding but share access failing.

Exam trap

The trap here is that candidates assume authentication success means all Samba operations are fine, overlooking the subtle interaction between 'winbind use default domain' and share-level access control parameters like 'valid users'.

How to eliminate wrong answers

Option A is wrong because setting 'winbind use default domain = no' would require users to always specify the domain prefix, which does not resolve the mismatch if 'valid users' already uses a prefix; the core issue is the inconsistency between the default domain setting and the share's user specification. Option B is wrong because the 'idmap backend' configuration is essential for mapping SIDs to UIDs/GIDs, but a missing or misconfigured idmap backend typically causes authentication failures or inability to resolve user identities, not a scenario where users can authenticate but cannot access shares due to a 'valid users' mismatch. Option C is wrong because time synchronization with the domain controller is critical for Kerberos authentication; if time were out of sync, authentication itself would fail (with a clock skew error), not just share access.

← PreviousPage 2 of 2 · 95 questions total

Ready to test yourself?

Try a timed practice session using only File Sharing and Samba questions.