CCNA Network Client Management Questions

75 of 81 questions · Page 1/2 · Network Client Management · Answers revealed

1
MCQhard

Which command can be used to test the entire name resolution order as defined in nsswitch.conf?

A.host
B.getent hosts
C.nslookup
D.dig
AnswerB

Tests resolution via nsswitch.

Why this answer

The `getent hosts` command queries the system's Name Service Switch (NSS) configured sources in the exact order defined in `/etc/nsswitch.conf`. It uses the `gethostbyname()` or `getaddrinfo()` library calls, which respect the `hosts:` line in nsswitch.conf (e.g., `files dns myhostname`), testing resolution through each source sequentially until a result is found or all sources are exhausted.

Exam trap

The trap here is that candidates often choose `dig` or `host` because they are familiar DNS tools, but they fail to realize that these commands bypass the NSS configuration and only test DNS, not the full resolution order including local files or other sources like `myhostname`.

How to eliminate wrong answers

Option A is wrong because `host` is a DNS lookup tool that bypasses the NSS configuration and queries DNS directly via the resolver library, not testing files like `/etc/hosts` or other NSS sources. Option C is wrong because `nslookup` is a deprecated DNS diagnostic tool that queries DNS servers directly, ignoring the NSS order entirely. Option D is wrong because `dig` is a flexible DNS lookup utility that performs direct DNS queries and does not consult `/etc/nsswitch.conf` or local name resolution sources like `/etc/hosts`.

2
Multi-Selecteasy

Which TWO commands can be used to display the current IP address and netmask of network interfaces on a Linux system?

Select 2 answers
A.arp -a
B.ifconfig
C.ip addr show
D.netstat -i
E.route -n
AnswersB, C

Traditional command to display interface configuration, including IP and netmask.

Why this answer

Both `ifconfig` and `ip addr show` can display the current IP address and netmask assigned to network interfaces. `ifconfig` is a legacy tool from the net-tools package that shows IPv4 addresses and netmasks (e.g., `inet 192.168.1.10 netmask 255.255.255.0`). `ip addr show` is the modern replacement from the iproute2 package, providing detailed IPv4 and IPv6 addressing information, including netmask in CIDR notation (e.g., `192.168.1.10/24`).

Exam trap

The trap here is that candidates may confuse `netstat -i` (interface statistics) with displaying IP configuration, or assume `arp -a` shows local interface addresses instead of remote MAC mappings.

3
MCQmedium

A Linux client is configured to use PAM for authentication against an LDAP server. The /etc/pam.d/system-auth includes 'auth required pam_ldap.so'. Users can authenticate successfully. However, when a user runs 'id username', it shows 'uid=1000(username) gid=100(users) groups=100(users)' but the LDAP group membership is not shown. Which configuration file is most likely misconfigured?

A.The PAM configuration uses 'required' instead of 'sufficient' for pam_ldap.
B.The /etc/ldap.conf file is missing the 'nss_base_group' line.
C.The /etc/nsswitch.conf 'group' line does not include 'ldap'.
D.The autofs service is not running.
AnswerC

Without this, group info comes only from files.

Why this answer

The 'id' command queries the Name Service Switch (NSS) to resolve user and group information. Even though PAM (via pam_ldap.so) successfully authenticates the user against LDAP, the group membership lookup fails because NSS is not configured to consult LDAP for group data. The /etc/nsswitch.conf file must include 'ldap' in the 'group' line (e.g., 'group: files ldap') to enable the system to retrieve LDAP group memberships.

Exam trap

The trap here is that candidates confuse PAM (authentication) with NSS (name resolution), assuming that successful LDAP authentication automatically means LDAP group lookups work, when in fact they are separate subsystems controlled by different configuration files.

How to eliminate wrong answers

Option A is wrong because changing 'required' to 'sufficient' affects the PAM authentication flow (e.g., whether other modules are tried), but does not impact how the 'id' command resolves group membership; the issue is with NSS, not PAM. Option B is wrong because the 'nss_base_group' line in /etc/ldap.conf defines the LDAP search base for groups, but without NSS configured to use LDAP for groups, this setting is never consulted. Option D is wrong because autofs is used for automounting filesystems and has no role in resolving LDAP group memberships.

4
MCQhard

An administrator needs to mount an NFSv4 export from server:/exports/data onto /mnt/data on a client. The requirement is to use Kerberos security, a hard mount, and ensure that the NFS server does not squash root's privileges. Which line in /etc/fstab correctly implements these requirements?

A.server:/exports/data /mnt/data nfs4 defaults,sec=none,hard,no_root_squash 0 0
B.server:/exports/data /mnt/data nfs4 defaults,sec=krb5,soft 0 0
C.server:/exports/data /mnt/data nfs4 defaults,sec=krb5,hard,no_root_squash 0 0
D.server:/exports/data /mnt/data nfs4 defaults,sec=krb5,hard 0 0
AnswerD

Correctly uses sec=krb5 and hard; no_root_squash is configured on the server.

Why this answer

Option D is correct because it specifies NFSv4 with Kerberos security (sec=krb5) and a hard mount, which meets the requirements. The no_root_squash option is not a valid mount option in /etc/fstab for the client side; it is an export option set on the NFS server in /etc/exports. Thus, D correctly omits it, as the client cannot enforce root squashing behavior.

Exam trap

The trap here is that candidates mistakenly include no_root_squash as a client-side mount option in /etc/fstab, confusing it with a server-side export option, or they choose a soft mount instead of hard.

How to eliminate wrong answers

Option A is wrong because sec=none disables Kerberos security, and no_root_squash is not a valid client-side mount option (it belongs in /etc/exports on the server). Option B is wrong because it uses soft instead of hard, which violates the hard mount requirement. Option C is wrong because it includes no_root_squash as a mount option in /etc/fstab, which is invalid; this option is only meaningful in the server's export configuration.

5
MCQhard

A client on the 192.168.2.0/24 network cannot obtain an IP address. Other clients on that subnet work fine. The DHCP server logs show no request from the client's MAC. What is the most likely cause?

A.No DHCP relay agent is configured on the client's subnet.
B.The range is too small for the number of clients.
C.The subnet declaration for 192.168.2.0 is missing option routers.
D.The client is configured with a static IP address.
AnswerA

Without a relay, broadcast requests don't cross routers.

Why this answer

The client's DHCP request never reaches the DHCP server, as indicated by the server logs showing no request from the client's MAC. Since other clients on the same subnet work fine, the DHCP server and the local subnet are functional. The most likely cause is that the client's subnet (192.168.2.0/24) lacks a DHCP relay agent (e.g., configured on a router or switch using the 'ip helper-address' command) to forward broadcast DHCPDISCOVER messages to the DHCP server located on a different subnet.

Without a relay agent, DHCP broadcasts are confined to the local subnet and cannot reach a remote server.

Exam trap

The trap here is that candidates often assume the problem is with the DHCP server configuration (e.g., scope exhaustion or missing options) rather than recognizing that the server never received the request, pointing to a Layer 3 forwarding issue like a missing DHCP relay agent.

How to eliminate wrong answers

Option B is wrong because if the IP address range were too small for the number of clients, the DHCP server would still receive the request and log it, but would respond with a NAK or no offer; the logs show no request at all. Option C is wrong because a missing 'option routers' directive would cause the client to receive an IP address but lack a default gateway, not prevent the DHCP request from being logged. Option D is wrong because a client configured with a static IP address would not send a DHCPDISCOVER message, so the server would not log a request from that MAC; however, the question states the client 'cannot obtain an IP address,' implying it is attempting DHCP but failing, and a static IP client would not attempt DHCP at all.

6
MCQhard

An administrator needs to configure an NFS client to mount an export from an NFSv4 server that requires Kerberos authentication. The client should mount the export at boot time. Which of the following must be ensured for the mount to succeed automatically?

A.The client must have a valid keytab for its host principal.
B.The NFS server must have the same hostname as the client.
C.The user must run kinit before mounting.
D.The mount must be performed via an autofs map.
AnswerA

The system keytab allows the client to authenticate without user interaction.

Why this answer

For an NFSv4 client to automatically mount an export requiring Kerberos authentication at boot time, the client must possess a valid keytab file containing its host principal (e.g., nfs/client.example.com@REALM). This keytab allows the system to obtain Kerberos credentials without interactive user input, enabling the kernel's NFS client to authenticate to the server during the mount process. Without a keytab, the mount would fail because no user is present to run kinit, and the system lacks the cryptographic material to prove its identity.

Exam trap

The trap here is that candidates may think running kinit manually or using autofs can substitute for a keytab, but the keytab is the only mechanism that provides non-interactive, boot-time Kerberos authentication for NFS mounts.

How to eliminate wrong answers

Option B is wrong because the NFS server and client do not need to have the same hostname; Kerberos authentication relies on service principal names (SPNs) and DNS resolution, not matching hostnames. Option C is wrong because kinit is an interactive command that requires a user to enter a password, which cannot occur at boot time; the keytab mechanism is designed to provide non-interactive authentication. Option D is wrong because autofs is a method for on-demand mounting and does not inherently solve the Kerberos credential problem; even with autofs, a valid keytab is still required for Kerberos-authenticated mounts.

7
MCQmedium

A laptop user frequently moves between different networks. The administrator wants the DNS configuration to update automatically when the laptop connects to a new network via DHCP. Which service or tool is most appropriate for this task?

A.NetworkManager
B.systemd-resolved
C.dhcpcd
D.resolvconf
AnswerA

NetworkManager handles DNS configuration dynamically when network changes occur.

Why this answer

NetworkManager is the most appropriate tool because it is designed to manage network connections on modern Linux systems, automatically detecting network changes and reconfiguring DNS settings based on DHCP-provided information. It integrates with various backends (e.g., systemd-resolved, resolvconf) to update the system's DNS configuration dynamically, making it ideal for a laptop that frequently moves between networks.

Exam trap

The trap here is that candidates often confuse systemd-resolved as a standalone solution for dynamic DNS updates, but it requires a network manager like NetworkManager to trigger the reconfiguration when the network changes.

How to eliminate wrong answers

Option B (systemd-resolved) is wrong because it is a DNS resolver and caching service, not a network connection manager; it relies on an external tool like NetworkManager to trigger DNS updates when the network changes. Option C (dhcpcd) is wrong because it is a DHCP client that can configure DNS, but it lacks the broader network management capabilities (e.g., handling multiple interfaces, Wi-Fi profiles) needed for a mobile laptop user, and it is not typically used as the primary network manager on modern distributions. Option D (resolvconf) is wrong because it is a framework for managing /etc/resolv.conf updates, but it does not handle network detection or DHCP itself; it requires another service (like NetworkManager or dhcpcd) to provide the DNS information.

8
MCQmedium

A system administrator needs to configure an NFS client to automatically mount an exported filesystem from a remote server whenever a user accesses the mount point. Which configuration approach is most appropriate?

A.Configure automount using autofs with an indirect map.
B.Add an entry to /etc/fstab with the 'defaults' option.
C.Use the 'mount -t nfs' command each time a user needs access.
D.Place a mount command in /etc/rc.local.
AnswerA

autofs mounts NFS shares on demand, reducing dependency on server availability.

Why this answer

Option A is correct because autofs with an indirect map allows the NFS filesystem to be mounted on-demand when a user accesses the mount point, and automatically unmounted after a period of inactivity. This is the standard Linux approach for dynamic, on-demand NFS mounting without requiring a persistent entry in /etc/fstab or manual intervention.

Exam trap

The trap here is that candidates often confuse on-demand mounting (autofs) with persistent mounting (/etc/fstab) or manual mounting, and may incorrectly assume that /etc/rc.local is a valid modern solution for automatic mounting.

How to eliminate wrong answers

Option B is wrong because adding an entry to /etc/fstab with the 'defaults' option causes the NFS filesystem to be mounted at boot time and remain mounted indefinitely, not on-demand when a user accesses the mount point. Option C is wrong because using 'mount -t nfs' each time a user needs access is not automated and requires manual intervention or scripting, defeating the purpose of automatic mounting. Option D is wrong because placing a mount command in /etc/rc.local mounts the filesystem at boot (similar to /etc/fstab), not on-demand, and /etc/rc.local is deprecated in modern systemd-based distributions.

9
MCQmedium

A company's file server uses NFS to export /data to clients. An administrator configures an NFS client by running 'mount -t nfs fileserver:/data /mnt/data'. The mount succeeds and the user can read files. However, after a network interruption, the client system becomes unresponsive when a user attempts to access /mnt/data. Which action should the administrator take to prevent this issue in the future?

A.Add the 'intr' mount option to allow signal interrupts.
B.Add the 'soft' option to the mount command: 'mount -t nfs -o soft fileserver:/data /mnt/data'.
C.Increase the timeout value with 'timeo=600' and keep the hard mount.
D.Use the 'noac' option to disable attribute caching.
AnswerB

Soft mounts timeout and fail gracefully.

Why this answer

Option B is correct because using a 'soft' mount causes NFS operations to return an error to the calling application after a timeout, rather than hanging indefinitely. This prevents the client system from becoming unresponsive when the NFS server is unreachable, as the kernel will not retry the request forever. The default 'hard' mount (used in the original command) will keep retrying until the server responds, which can block processes and make the system appear frozen.

Exam trap

The trap here is that candidates often confuse 'intr' as a valid solution for interrupting hung mounts, but modern kernels have deprecated it, making 'soft' the only reliable way to prevent client unresponsiveness during network failures.

How to eliminate wrong answers

Option A is wrong because the 'intr' mount option is deprecated in modern Linux kernels (since around kernel 2.6.25) and does not reliably allow signal interrupts to break a hung hard mount; it was historically used to allow manual interruption but is no longer effective. Option C is wrong because increasing the timeout with 'timeo=600' while keeping a 'hard' mount only delays the hang; the client will still become unresponsive after the longer timeout period if the server remains unreachable. Option D is wrong because 'noac' disables attribute caching, which can reduce performance but does not address the fundamental issue of a client hanging during network interruptions; it has no effect on the retry behavior of hard vs. soft mounts.

10
MCQeasy

An administrator wants to automatically mount home directories from an NFS server when a user logs in. Which service should be configured?

A.rpcbind
B.smb
C.autofs
D.nfs
AnswerC

autofs mounts directories automatically upon access.

Why this answer

Autofs is the correct service because it provides on-demand mounting of NFS home directories triggered by user login. It uses the automount daemon to mount directories only when accessed, reducing network overhead and avoiding permanent mount entries in /etc/fstab. This is the standard Linux solution for dynamic NFS home directory mounting.

Exam trap

The trap here is that candidates confuse the underlying NFS protocol (option D) with the automounting service (autofs), or mistakenly think rpcbind (option A) handles the mounting logic, when in fact rpcbind only facilitates NFS communication and autofs is the dedicated service for on-demand mounts.

How to eliminate wrong answers

Option A is wrong because rpcbind is a service that maps RPC program numbers to network addresses, required for NFS communication but not responsible for automatic mounting. Option B is wrong because smb (Samba) provides file sharing via SMB/CIFS protocol, not NFS, and is unrelated to automounting NFS home directories. Option D is wrong because nfs refers to the NFS server or client kernel modules and utilities, which handle the actual file sharing protocol but do not provide automatic mounting on login; that requires a separate automounter like autofs.

11
Multi-Selectmedium

Which TWO DHCP options are commonly used to provide network configuration to clients? (Choose two.)

Select 2 answers
A.routers
B.subnet-mask
C.ntp-servers
D.host-name
E.domain-name-servers
AnswersA, E

Provides default gateway.

Why this answer

Option A (routers) is correct because the DHCP option 3 (Router) provides the default gateway address to clients, enabling them to route traffic outside their local subnet. Option E (domain-name-servers) is correct because DHCP option 6 (Domain Name Server) supplies the DNS server addresses, allowing clients to resolve domain names. Both are essential for basic network connectivity and are almost universally configured in DHCP scopes.

Exam trap

LPI often tests the distinction between 'subnet mask' as a critical parameter versus a formal DHCP option number, leading candidates to select 'subnet-mask' because they know it is necessary, but the correct option name in the exam context is 'routers' and 'domain-name-servers' as the two most commonly configured options.

12
MCQhard

Refer to the exhibit. The output shows a DHCP exchange between a client (MAC 00:1a:2b:3c:4d:5e) and a server (192.168.1.1). The client is not obtaining an IP address. What is the most likely reason?

A.The client's /etc/dhcp/dhclient.conf contains a 'reject' statement that rejects offers from this server.
B.The DHCP server did not receive the client's request.
C.The DHCP server is not reachable from the client.
D.The client's MAC address is not authorized on the DHCP server.
AnswerA

If the client rejects the server, it will ignore the offer and continue sending requests.

Why this answer

Option A is correct because the DHCP client can be configured with a 'reject' statement in /etc/dhcp/dhclient.conf to ignore offers from specific servers. In this scenario, the client sends a DHCPDISCOVER, receives a DHCPOFFER from 192.168.1.1, but then does not proceed to DHCPREQUEST, indicating the offer was rejected locally. This matches the behavior of a reject rule, which causes the client to discard the offer without further communication.

Exam trap

The trap here is that candidates often assume DHCP failures are always server-side (e.g., authorization or reachability), overlooking client-side configuration files like dhclient.conf that can silently discard valid offers.

How to eliminate wrong answers

Option B is wrong because the exhibit shows the DHCP server received the client's DHCPDISCOVER and responded with a DHCPOFFER, proving the server is reachable and received the initial request. Option C is wrong because the DHCP server's DHCPOFFER was successfully transmitted to the client, as shown in the output, confirming bidirectional reachability. Option D is wrong because if the client's MAC address were unauthorized, the server would typically not respond with a DHCPOFFER at all, or would send a DHCPNAK; the presence of a DHCPOFFER indicates the server is willing to provide an address.

13
Multi-Selecteasy

Which TWO statements about the DHCP client on Linux are correct?

Select 2 answers
A.The dhclient command can be used to release and renew a DHCP lease.
B.The /etc/dhcp/dhclient.conf file can specify the hostname the client sends to the server.
C.The dhclient-script is used to parse the /etc/resolv.conf file.
D.The dhcpcd daemon is the standard DHCP client on all Linux distributions.
E.The /etc/dhcpd.conf file configures the DHCP client.
AnswersA, B

Correct. dhclient can release and renew leases via commands like dhclient -r and dhclient.

Why this answer

The dhclient command is the standard DHCP client on many Linux distributions and can be used to release and renew leases. The /etc/dhcp/dhclient.conf file allows configuration of options such as the hostname sent by the client. Other options are incorrect: dhcpcd is not standard on all distributions, /etc/dhcpd.conf is for the server, and dhclient-script handles network interface configuration, not resolv.conf parsing.

14
MCQmedium

You are troubleshooting a Linux client that is unable to connect to the internet. The client is configured to use DHCP on interface eth0. The output of 'ip addr show eth0' shows that the interface has an IP address 192.168.1.100/24, but there is no default gateway. The output of 'ip route show' shows only the local subnet route. The DHCP server is at 192.168.1.1 and is functioning correctly. You have verified that the DHCP client (dhclient) is running, and the lease file /var/lib/dhclient/dhclient-eth0.leases exists and contains option routers 192.168.1.1. Which of the following commands should you run to resolve the issue?

A.systemctl restart networking
B.ip route del default
C.dhclient -r eth0 && dhclient eth0
D.ip route add default via 192.168.1.1
AnswerC

This releases the current lease and obtains a new one, which should reinstate the default gateway from the DHCP server.

Why this answer

Option C is correct because the DHCP client has already obtained a lease with the correct gateway (192.168.1.1), but the default route was not applied. Running `dhclient -r eth0` releases the current lease, and `dhclient eth0` renews it, forcing the client to re-apply all options from the lease, including the default gateway route. This is the standard way to reinitialize the interface's network configuration from the DHCP server without restarting the entire networking service.

Exam trap

The trap here is that candidates often choose the manual route addition (Option D) because it seems quick and effective, but the LPIC-2 exam expects you to understand that the proper troubleshooting step is to renew the DHCP lease to ensure all options are correctly applied, rather than applying a temporary fix that bypasses the DHCP client's configuration logic.

How to eliminate wrong answers

Option A is wrong because `systemctl restart networking` would restart all network interfaces and services, which is an overly broad action that could disrupt other network connections and is not necessary when only the default route is missing; it also may not reapply the DHCP gateway if the lease is still valid. Option B is wrong because `ip route del default` would delete the default route, but there is no default route present (as shown in the output), so this command would either fail or do nothing; it does not add the missing gateway. Option D is wrong because while `ip route add default via 192.168.1.1` would manually add the correct default route, it is a temporary workaround that does not address the underlying issue of why the DHCP client failed to apply the route; the proper solution is to renew the lease so the client correctly processes all DHCP options.

15
MCQeasy

You are a system administrator at a small company. The network uses DHCP to assign IP addresses to clients. Recently, some users reported intermittent network connectivity issues. Upon investigation, you notice that the DHCP server is running on a Linux server with the ISC DHCP daemon. The server log shows many 'DHCPREQUEST' messages from a particular MAC address with frequent changes in requested IP addresses. Users with that MAC address are experiencing IP address conflicts and connectivity drops. What is the most likely cause and the best corrective action?

A.Increase the DHCP lease time to reduce the frequency of renewals.
B.Add a static DHCP mapping for the problematic MAC address to a reserved IP.
C.Identify the device with that MAC address and replace its network interface card.
D.Restart the DHCP daemon to clear the lease database.
AnswerC

The faulty NIC is likely sending multiple requests, causing conflicts. Replacing it resolves the issue.

Why this answer

The frequent DHCPREQUEST messages from the same MAC address requesting different IP addresses indicate a faulty network interface card (NIC) that is generating random or corrupted DHCP requests, likely due to hardware malfunction. Replacing the NIC eliminates the root cause by stopping the spurious traffic, whereas other options only mask symptoms or fail to address the hardware fault.

Exam trap

The trap here is that candidates often assume a software or configuration fix (like static mapping or lease adjustment) will solve what is actually a hardware failure, because the symptom appears as a DHCP protocol anomaly rather than a physical layer problem.

How to eliminate wrong answers

Option A is wrong because increasing the lease time would not stop the faulty NIC from sending erratic DHCPREQUESTs; it would only delay renewals, not prevent IP conflicts. Option B is wrong because adding a static DHCP mapping would reserve a specific IP for the MAC, but the faulty NIC would still generate conflicting requests for other IPs, causing lease database corruption and continued conflicts. Option D is wrong because restarting the DHCP daemon only clears the lease database temporarily; the faulty NIC will immediately generate new spurious requests, recreating the same problem.

16
MCQmedium

A new user has been added to the LDAP directory, but the user cannot log in. The admin confirms the LDAP server is reachable and the user entry exists. Which of the following is the most likely missing configuration?

A.The LDAP server does not have the correct schema for the user.
B.The nscd cache is stale and needs to be cleared.
C.The nsswitch.conf file should have 'ldap' before 'files' for passwd.
D.The PAM configuration does not include pam_ldap.
AnswerD

PAM is responsible for authentication; without pam_ldap, LDAP users cannot authenticate.

Why this answer

D is correct because even if the LDAP server is reachable and the user entry exists, the system must be configured to use LDAP for authentication. PAM (Pluggable Authentication Modules) controls how authentication is performed; without pam_ldap (or pam_ldap.so) in the PAM stack, the system will not consult the LDAP server during login, so authentication fails regardless of the LDAP directory contents.

Exam trap

The trap here is that candidates confuse name service resolution (nsswitch.conf) with authentication (PAM), assuming that if getent shows the user, login should work, but PAM is the gatekeeper for authentication and must be explicitly configured.

How to eliminate wrong answers

Option A is wrong because the schema defines the structure of entries (e.g., object classes and attributes), not whether authentication works; if the user entry exists, the schema is already in place. Option B is wrong because nscd caches name service lookups (e.g., user/group info), not authentication; a stale cache might cause getent to show old data, but it would not prevent login if PAM is correctly configured to query LDAP. Option C is wrong because the order in nsswitch.conf affects user/group resolution (e.g., getent passwd), not authentication; PAM is responsible for authentication, and even if 'ldap' is before 'files', without pam_ldap the login will still fail.

17
MCQeasy

What is the recommended way to configure a Linux host to obtain an IP address automatically via DHCP on the eth0 interface?

A.Set 'BOOTPROTO=dhclient' in /etc/sysconfig/network-scripts/ifcfg-eth0.
B.Edit /etc/dhcp/dhcpd.conf to include the host's MAC address.
C.Use 'networkctl' to set DHCP=yes on eth0.
D.Set 'BOOTPROTO=dhcp' in /etc/sysconfig/network-scripts/ifcfg-eth0.
AnswerD

Standard for network-scripts.

Why this answer

Option D is correct because on Red Hat-based Linux distributions, the recommended way to configure an interface for DHCP is to set 'BOOTPROTO=dhcp' in the interface configuration file /etc/sysconfig/network-scripts/ifcfg-eth0. This instructs the network service to use the DHCP protocol to obtain an IP address automatically from a DHCP server. The value 'dhcp' is the standard keyword recognized by the ifcfg scripts, not 'dhclient'.

Exam trap

The trap here is that candidates confuse the DHCP client configuration keyword 'dhcp' with the client program name 'dhclient', or mistakenly think that editing the DHCP server configuration file is the correct way to configure a client to obtain an IP automatically.

How to eliminate wrong answers

Option A is wrong because 'BOOTPROTO=dhclient' is not a valid value; the correct keyword is 'dhcp', and the DHCP client (dhclient) is invoked automatically by the network scripts when BOOTPROTO=dhcp is set. Option B is wrong because /etc/dhcp/dhcpd.conf is the configuration file for the DHCP server (dhcpd), not the client; editing it to include the host's MAC address would configure the server to assign a static lease, not configure the host to obtain an IP automatically. Option C is wrong because 'networkctl' is a tool used with systemd-networkd, not with the traditional ifcfg-based network configuration used by Red Hat/CentOS; while systemd-networkd can be used, the question asks for the recommended way on a standard Linux host, and the ifcfg method is the traditional and widely supported approach for this distribution family.

18
MCQhard

Based on the exhibit, which command would change the DNS server to 1.1.1.1 for the connection MyConnection?

A.nmcli con mod MyConnection IP4.DNS 1.1.1.1
B.nmcli con mod MyConnection ipv4.dns 1.1.1.1
C.nmcli dev mod eth0 ipv4.dns 1.1.1.1
D.nmcli con mod MyConnection +ipv4.dns 1.1.1.1
AnswerB

This is the correct nmcli command to modify the DNS setting for the connection.

Why this answer

Option B is correct because the `nmcli con mod` command modifies an existing connection profile, and the `ipv4.dns` property sets the DNS server for IPv4. The property name is case-sensitive and must be lowercase `ipv4.dns` as per NetworkManager's D-Bus API. This command replaces any existing DNS servers with the specified value.

Exam trap

The trap here is that candidates confuse the case-sensitive property name (`ipv4.dns` vs `IP4.DNS`) or mistake the `+` prefix for setting rather than appending, leading them to choose options that either use incorrect syntax or do not achieve the intended replacement.

How to eliminate wrong answers

Option A is wrong because `IP4.DNS` uses incorrect casing; NetworkManager property names are case-sensitive and must be lowercase (`ipv4.dns`). Option C is wrong because `nmcli dev mod` modifies device settings, not connection profiles, and DNS is a per-connection property, not a device property. Option D is wrong because the `+` prefix appends the DNS server to the existing list rather than replacing it, which would not change the DNS server to only 1.1.1.1 if other servers are already configured.

19
MCQhard

A company runs an NTP server that should only synchronize with trusted upstream servers and provide time to internal clients. Which restrict clause in ntp.conf would best secure the server against unauthorized queries?

A.restrict default ignore
B.restrict default kod nomodify notrap nopeer noquery
C.restrict 192.168.0.0 mask 255.255.0.0 nomodify notrap
D.restrict 127.0.0.1
AnswerC

Allows time synchronization from the subnet while blocking modifications.

Why this answer

Option C is correct because it uses a restricted subnet mask (192.168.0.0/16) to allow only internal clients to query the NTP server, while blocking unauthorized external queries. The `nomodify` and `notrap` flags prevent clients from altering the server's configuration or sending control message traps, which aligns with the requirement to secure the server against unauthorized queries. This approach ensures that only trusted internal hosts can synchronize time without exposing the server to external threats.

Exam trap

The trap here is that candidates often choose option B because it includes many security flags, but they overlook that `restrict default` applies to all hosts not explicitly allowed, which would block the required upstream synchronization unless additional `restrict` lines are added for trusted servers.

How to eliminate wrong answers

Option A is wrong because `restrict default ignore` completely blocks all NTP traffic from any host not explicitly allowed, which would prevent even trusted upstream servers from synchronizing with this server, breaking the requirement that the server should synchronize with trusted upstream servers. Option B is wrong because `restrict default kod nomodify notrap nopeer noquery` applies a default deny-all policy with additional restrictions, but it still blocks all default traffic, including necessary queries from trusted upstream servers, and the `kod` (Kiss-o'-Death) packet can be used in denial-of-service attacks. Option D is wrong because `restrict 127.0.0.1` only allows the localhost to access the NTP server, which would block all internal clients and upstream servers, making the server completely isolated and unable to provide time to internal clients or synchronize with upstream servers.

20
MCQmedium

A developer frequently needs to access a remote database server that is only accessible via SSH from a jump host. To simplify access, the administrator wants to create a local port forward so that the developer can connect to localhost:3306 and reach the remote database's MySQL port 3306. Which SSH command achieves this?

A.ssh -J user@jump.example.com -L 3306:localhost:3306 db.internal
B.ssh -L 3306:db.internal:3306 user@jump.example.com
C.ssh -L localhost:3306:db.internal:3306 user@jump.example.com
D.ssh -R 3306:localhost:3306 user@jump.example.com
E.ssh -L 3306:localhost:3306 user@jump.example.com
AnswerB, E

Forwards local port 3306 to db.internal:3306 via jump host.

Why this answer

Option B is correct because the `-L` flag creates a local port forward, mapping a local port (3306) to a remote destination (db.internal:3306) via the SSH connection to the jump host (user@jump.example.com). The syntax `-L 3306:db.internal:3306` tells SSH to listen on localhost:3306 and forward all traffic through the jump host to db.internal:3306, which is reachable from the jump host. This allows the developer to connect to localhost:3306 and reach the remote MySQL database.

Exam trap

The trap here is confusing local port forwarding (`-L`) with remote port forwarding (`-R`) or misinterpreting the destination address as being resolved from the client's network instead of the SSH server's network.

How to eliminate wrong answers

Option A is wrong because the `-J` flag specifies a jump host for a multi-hop SSH connection, but the syntax `-L 3306:localhost:3306` incorrectly binds the local port to the jump host's localhost, not the target database server. Option C is wrong because it explicitly binds to localhost:3306 on the client side, but the syntax `-L localhost:3306:db.internal:3306` is functionally identical to option B and is also correct; however, the question marks both B and C as correct, but the intended correct answer is B as it matches the standard SSH syntax without the redundant `localhost:` prefix. Option D is wrong because `-R` creates a remote port forward (listening on the remote side), not a local port forward, which would allow connections to the jump host's port 3306 to reach the client's localhost:3306, opposite of what is needed.

Option E is wrong because `-L 3306:localhost:3306` forwards local port 3306 to the jump host's localhost:3306, not to the remote database server db.internal.

21
MCQmedium

A user reports that the command 'smbclient -L //fileserver' fails with a timeout. What is the most likely cause?

A.The smbd service on the server is not running.
B.The user does not have an account on the server.
C.The server is not reachable via ping.
D.A firewall on the client or server is blocking TCP port 445.
AnswerD

Port 445 is used by SMB; blocking it causes timeouts.

Why this answer

The command 'smbclient -L //fileserver' uses SMB protocol to list shares. A timeout indicates the client cannot establish a TCP connection to the server on port 445, which is the default SMB port. A firewall blocking TCP 445 would prevent the connection, causing a timeout, while other issues like a stopped smbd service or unreachable server would typically produce different errors (e.g., 'connection refused' or 'no route to host').

Exam trap

The trap here is that candidates confuse a timeout (no response) with a connection refusal (immediate failure), leading them to incorrectly choose a stopped service or unreachable server when the real issue is a firewall silently dropping packets.

How to eliminate wrong answers

Option A is wrong because if the smbd service is not running, the server would actively refuse the connection (TCP RST), resulting in an immediate 'connection refused' error, not a timeout. Option B is wrong because authentication is not required for the '-L' option to list shares; it only affects the ability to access specific shares, not the initial connection. Option C is wrong because if the server is not reachable via ping, the client would likely receive an 'ICMP unreachable' or 'no route to host' error, not a timeout; a timeout specifically suggests the server is reachable but not responding on the SMB port.

22
MCQmedium

An administrator wants to ensure that a Linux client sends all DNS queries to a specific DNS server without relying on DHCP-provided DNS servers. Which configuration files should be modified?

A.Configure NetworkManager to ignore DNS from DHCP and set the DNS manually in the connection profile
B.Edit /etc/dhcp/dhclient.conf to add 'supersede domain-name-servers <desired IP>;'
C.Edit /etc/sysconfig/network-scripts/ifcfg-eth0 and set PEERDNS=no and DNS1=<desired IP>
D.Edit /etc/resolv.conf and set the nameserver to the desired IP
AnswerB

This overrides DHCP-provided DNS servers and ensures the client uses the specified DNS.

Why this answer

Option B is correct because the dhclient.conf file allows an administrator to override DHCP-provided DNS servers using the 'supersede' directive. This forces the DHCP client to ignore the DNS servers received from the DHCP server and instead use the manually specified DNS server when writing /etc/resolv.conf. This is a standard method for controlling DNS resolution on systems using dhclient.

Exam trap

The trap here is that candidates often assume editing /etc/resolv.conf directly is sufficient, but they fail to recognize that DHCP clients or network management tools will overwrite it, making the change non-persistent unless the DHCP client is explicitly configured to ignore or supersede the provided DNS servers.

How to eliminate wrong answers

Option A is wrong because NetworkManager is not the only network management service; many Linux systems use dhclient directly, and the question does not specify NetworkManager. Option C is wrong because /etc/sysconfig/network-scripts/ifcfg-eth0 is specific to Red Hat-based systems using legacy network scripts, not a universal solution, and setting PEERDNS=no only prevents DHCP from overwriting resolv.conf but does not directly force the DNS server into resolv.conf without additional configuration. Option D is wrong because /etc/resolv.conf is dynamically overwritten by DHCP clients (like dhclient) or resolvers, so editing it directly is not persistent and will be reverted on network restart or DHCP renewal.

23
Multi-Selecthard

Which THREE statements about PAM configuration are correct? (Select three.)

Select 3 answers
A.The control flag 'required' means the module must succeed; if it fails, authentication fails immediately.
B.The module type 'auth' is used for account management.
C.The order of modules in a stack affects the outcome.
D.The control flag 'requisite' means the module must succeed, and if it fails, no further modules are called.
E.The control flag 'sufficient' means that if the module succeeds, authentication succeeds immediately.
AnswersC, D, E

PAM module order is significant.

Why this answer

Option C is correct because PAM (Pluggable Authentication Modules) processes modules in a defined order within a stack, and the control flags (required, requisite, sufficient, optional) determine how the success or failure of each module affects the overall authentication result. The order matters because a 'sufficient' module that succeeds can cause authentication to succeed immediately, bypassing later modules, while a 'required' module that fails can cause authentication to fail after all modules in the stack have been evaluated.

Exam trap

The trap here is that candidates often confuse 'required' with 'requisite', mistakenly thinking that 'required' causes immediate failure, when in fact 'required' allows the stack to continue processing, while 'requisite' is the flag that immediately aborts on failure.

24
MCQmedium

A Samba share is configured with 'valid users = @staff' but users in the staff group still get 'NT_STATUS_ACCESS_DENIED' when accessing the share. The server uses 'security = user'. Which additional configuration is required?

A.Set 'guest ok = yes'
B.Set 'force group = staff'
C.Run smbpasswd -a for each user
D.Add the share to [global]
AnswerC

Samba passwords are separate from system passwords.

Why this answer

With 'security = user', Samba requires each user to have a separate Samba password stored in the smbpasswd file (or another passdb backend). Even if a user is a member of the 'staff' group and exists in the system's /etc/passwd, they cannot authenticate to the share without an smbpasswd entry. Running 'smbpasswd -a' for each user creates that entry, resolving the NT_STATUS_ACCESS_DENIED error.

Exam trap

The trap here is that candidates assume group membership alone grants access, overlooking that Samba's user-level security requires a separate password database entry for each authenticated user.

How to eliminate wrong answers

Option A is wrong because 'guest ok = yes' allows anonymous access, which bypasses authentication entirely and does not address the requirement for valid users to authenticate with their own credentials. Option B is wrong because 'force group = staff' only changes the effective group for file operations after authentication; it does not fix the missing Samba password database entry that prevents authentication. Option D is wrong because adding the share to the [global] section is syntactically invalid—shares must be defined in their own stanzas, and this does not affect user authentication.

25
Multi-Selecthard

Which THREE directives are essential for configuring an OpenLDAP client in /etc/ldap/ldap.conf? (Choose three.)

Select 3 answers
A.SIZELIMIT
B.BINDDN
C.BASE
D.TLS_REQCERT
E.URI
AnswersC, D, E

Specifies the default search base.

Why this answer

The BASE directive defines the starting point for LDAP searches (e.g., dc=example,dc=com) and is essential for client configuration to know which subtree to query. Without it, the client cannot determine the search base for directory lookups.

Exam trap

LPI often tests the misconception that BINDDN is a mandatory global setting, when in fact it is an authentication credential that should not be stored in the shared configuration file for security reasons.

26
MCQeasy

A system administrator needs to configure a Linux client to use a specific DNS server for a particular domain. Which file should be modified to achieve this?

A.Edit /etc/hosts
B.Edit /etc/networks
C.Edit /etc/nsswitch.conf
D.Edit /etc/resolv.conf
AnswerD

resolv.conf contains DNS server IPs and domain/search directives to specify default domains.

Why this answer

The /etc/resolv.conf file is the primary configuration file for DNS resolution on Linux systems. It allows specifying DNS servers (nameserver entries) and search domains, and can be configured to use a specific DNS server for a particular domain by adding a 'domain' or 'search' directive along with the appropriate nameserver. This file is read by the resolver library (glibc) during DNS lookups.

Exam trap

The trap here is that candidates often confuse /etc/resolv.conf with /etc/nsswitch.conf, thinking the latter controls DNS server selection, when in fact nsswitch.conf only defines the lookup order (e.g., files before dns) and not the actual DNS server addresses.

How to eliminate wrong answers

Option A is wrong because /etc/hosts is used for static IP-to-hostname mappings, not for specifying DNS servers per domain; it bypasses DNS entirely. Option B is wrong because /etc/networks maps network names to network numbers, not DNS server configuration. Option C is wrong because /etc/nsswitch.conf controls the order of name resolution sources (e.g., files, dns, mdns), but does not define which DNS server to use for a specific domain.

27
MCQhard

An organization uses LDAP for centralized authentication. The /etc/nsswitch.conf contains 'passwd: files ldap' and 'shadow: files ldap'. The /etc/pam.d/system-auth includes 'auth requisite pam_ldap.so' and 'account required pam_ldap.so'. However, users can log in using local accounts but not LDAP accounts. The ldapsearch command works correctly against the LDAP server. Logs show 'pam_ldap: error trying to bind as user (No such object)'. Which configuration change is most likely needed?

A.Open TCP port 389 on the client firewall.
B.Add 'uri ldaps://ldap.example.com' to /etc/ldap.conf.
C.Restart the nscd service.
D.Ensure /etc/ldap.conf contains a valid 'binddn' and 'bindpw' for the search user.
AnswerD

pam_ldap needs a bind DN to search for users.

Why this answer

The error 'pam_ldap: error trying to bind as user (No such object)' indicates that PAM LDAP cannot find the user entry in the LDAP directory. This typically occurs because the binddn (the search user) specified in /etc/ldap.conf is incorrect or missing, preventing PAM from performing the initial search to locate the user's DN. Since ldapsearch works manually, the LDAP server is reachable, but the PAM module lacks the credentials to bind and search for users.

Exam trap

The trap here is that candidates confuse a working ldapsearch (which may use anonymous bind or a different credential) with the PAM module's need for a dedicated binddn and bindpw, leading them to focus on network or caching issues instead of the missing authentication credentials for the search user.

How to eliminate wrong answers

Option A is wrong because the ldapsearch command works, proving TCP port 389 is already open and the client can reach the LDAP server; blocking the port would prevent ldapsearch from succeeding. Option B is wrong because the URI is already configured (as ldapsearch works), and changing to ldaps:// would require TLS setup and does not address the bind failure; the error is about binding, not transport security. Option C is wrong because restarting nscd (Name Service Cache Daemon) would only clear cached NSS lookups, but the error originates from PAM LDAP binding, not from NSS caching; nscd does not affect PAM authentication flows.

28
MCQmedium

A company uses NIS for user authentication. A client cannot log in with network accounts but local accounts work. Which command should be used to check if the client is bound to the NIS domain?

A.ypwhich
B.ypset
C.ypcat passwd
D.domainname
AnswerA

Displays the NIS server currently bound.

Why this answer

The `ypwhich` command is used to display the NIS server to which the client is currently bound. If the client is not bound to any NIS domain, `ypwhich` returns an error, confirming the binding issue. This directly checks the NIS client-server binding, which is essential for network authentication.

Exam trap

The trap here is that candidates often confuse `domainname` (which only shows the configured NIS domain) with `ypwhich` (which confirms active binding to a server), leading them to pick D when the actual issue is a missing or failed binding.

How to eliminate wrong answers

Option B is wrong because `ypset` is used to manually set the NIS server binding for a client, not to check the current binding. Option C is wrong because `ypcat passwd` retrieves the password map from the NIS server, but it will fail if the client is not bound, and it does not directly verify binding status. Option D is wrong because `domainname` shows or sets the system's NIS/YP domain name, but it does not verify whether the client is actually bound to an NIS server; a client can have a domain name set but still be unbound.

29
MCQmedium

A Linux client is configured with the following in /etc/nslcd.conf: 'uri ldap://10.0.0.1/', 'base dc=example,dc=com'. Which command can be used to test connectivity to the LDAP server and verify the base DN?

A.authconfig --test
B.ldapsearch -x -H ldap://10.0.0.1 -b dc=example,dc=com
C.getent passwd
D.nslcd -d
AnswerB

Directly tests LDAP query.

Why this answer

The `ldapsearch` command with `-x` (simple authentication), `-H ldap://10.0.0.1` (specifying the LDAP URI), and `-b dc=example,dc=com` (setting the search base DN) directly performs an anonymous LDAP search against the server. If the server is reachable and the base DN exists, it returns entries, confirming both connectivity and the validity of the base DN. This matches the configuration in `/etc/nslcd.conf` and is the standard tool for testing LDAP server responses.

Exam trap

The trap here is that candidates may confuse local authentication testing tools (authconfig, getent) or daemon debugging (nslcd -d) with a direct, protocol-level LDAP query, which is the only reliable method to independently verify server connectivity and base DN validity.

How to eliminate wrong answers

Option A is wrong because `authconfig --test` only tests the local system authentication configuration (e.g., SSSD, LDAP, Kerberos settings) and does not perform an actual LDAP query to verify server connectivity or the base DN. Option C is wrong because `getent passwd` queries the local system's configured name services (via nsswitch.conf) and may return cached or fallback data; it does not directly test LDAP server connectivity or the base DN, and can succeed even if the LDAP server is unreachable if other sources are available. Option D is wrong because `nslcd -d` runs the nslcd daemon in debug mode, which logs connection attempts and errors but does not perform a single, controlled test of connectivity and base DN; it requires interpreting daemon output and may not immediately reveal a base DN mismatch.

30
MCQhard

An administrator needs to configure a Linux client to automatically obtain an IP address from a DHCP server but also ensure that the client uses a specific static DNS server (8.8.8.8) regardless of the DHCP-provided DNS. Which configuration should be applied?

A.Add 'append domain-name-servers 8.8.8.8;' to /etc/dhcp/dhclient.conf
B.Edit /etc/sysconfig/network-scripts/ifcfg-eth0 and set PEERDNS=no and DNS1=8.8.8.8
C.Add 'prepend domain-name-servers 8.8.8.8;' to /etc/dhcp/dhclient.conf
D.Add 'supersede domain-name-servers 8.8.8.8;' to /etc/dhcp/dhclient.conf
AnswerD

supersede overrides the DHCP-provided DNS servers with the specified one.

Why this answer

Option D is correct because the `supersede` directive in `/etc/dhcp/dhclient.conf` forces the DHCP client to replace any DNS server addresses received from the DHCP server with the specified value (8.8.8.8). This ensures the client uses the static DNS server regardless of what the DHCP server offers, while still obtaining its IP address dynamically.

Exam trap

The trap here is that candidates often confuse `prepend` (which adds a DNS server but does not remove DHCP-provided ones) with `supersede` (which completely replaces the DHCP-provided list), leading them to choose option C instead of D.

How to eliminate wrong answers

Option A is wrong because `append` adds the specified DNS server to the end of the list provided by the DHCP server, meaning the DHCP-provided DNS servers would still be used (and may take precedence). Option B is wrong because it applies to NetworkManager or legacy sysconfig scripts on Red Hat-based systems, not to the DHCP client configuration itself; setting `PEERDNS=no` prevents the DHCP client from modifying `/etc/resolv.conf`, but the DNS server would need to be set elsewhere, and this approach is distribution-specific and not the standard method for overriding DHCP DNS on a generic Linux client. Option C is wrong because `prepend` adds the specified DNS server to the beginning of the list, which makes it the primary resolver, but the DHCP-provided DNS servers are still present and could be used as fallbacks, which does not guarantee that only 8.8.8.8 is used.

31
Multi-Selectmedium

Which TWO Samba security modes are considered insecure and should be avoided? (Choose two.)

Select 2 answers
A.share
B.server
C.domain
D.user
E.ads
AnswersA, B

Share-level security is deprecated and insecure.

Why this answer

Samba's 'share' security mode (deprecated in Samba 3.0) and 'server' security mode (removed in Samba 3.6) are both considered insecure. 'share' mode allowed anonymous access without per-user authentication, relying on share-level passwords that were transmitted in plaintext or weak hashes. 'server' mode delegated authentication to another Samba server (e.g., 'security = server' with 'password server = *'), which often fell back to plaintext or LANMAN hashes over an unencrypted connection, exposing credentials to interception.

Exam trap

The trap here is that candidates confuse 'share' and 'server' with modern Samba modes like 'user' or 'domain', or mistakenly think 'server' refers to a secure server role, when in fact both are deprecated legacy modes that lack encrypted per-user authentication.

32
Multi-Selectmedium

Which TWO commands can be used to connect to a Samba share from a Linux command line?

Select 2 answers
A.sshfs
B.smbclient
C.nfsmount
D.mount.cifs
E.ftp
AnswersB, D

smbclient can connect to SMB shares and list files.

Why this answer

B is correct because smbclient is a command-line tool that uses the SMB/CIFS protocol to connect to Samba shares, allowing file transfers and directory listing. D is correct because mount.cifs is a helper program that mounts a Samba share to a local directory using the CIFS filesystem type, enabling direct file access via the kernel's cifs module.

Exam trap

The trap here is that candidates confuse sshfs (SSH-based) or nfsmount (NFS-based) with Samba tools, or assume ftp can access Samba shares, when only SMB/CIFS-specific commands like smbclient and mount.cifs are valid.

33
MCQhard

A Linux workstation must be configured to automatically mount an NFS share from server nfs.example.com:/exports/data at boot time. The share should be mounted with noexec and nosuid options. Which line should be added to /etc/fstab?

A.nfs.example.com:/exports/data /mnt/data nfs noexec,nosuid,_netdev 0 0
B.nfs.example.com:/exports/data /mnt/data nfs noexec,nosuid,_netdev 0 0
C.nfs.example.com:/exports/data /mnt/data auto noexec,nosuid,_netdev 0 0
D.nfs.example.com:/exports/data /mnt/data nfs4 noexec,nosuid 0 0
AnswerB

Correct syntax: server:path, mount point, filesystem type, options with _netdev, and dump/pass fields.

Why this answer

Option B is correct because it specifies the NFS filesystem type, includes the required mount options (noexec, nosuid, _netdev), and uses the correct fstab format. The _netdev option is critical for network filesystems to ensure the system waits for network availability before attempting the mount at boot time.

Exam trap

The trap here is that candidates often forget the _netdev option for network filesystems, assuming that specifying 'nfs' as the filesystem type is sufficient, but without _netdev the mount may fail at boot if the network is not yet ready.

How to eliminate wrong answers

Option A is wrong because it is identical to option B and thus not a distinct incorrect answer; the question expects B as the correct choice. Option C is wrong because it uses 'auto' as the filesystem type instead of 'nfs', which may cause the system to probe for the filesystem type and potentially fail or behave incorrectly. Option D is wrong because it omits the _netdev option, which is necessary for network filesystems to prevent boot delays or failures when the network is not yet available; also, using 'nfs4' is acceptable but without _netdev it is incomplete.

34
Multi-Selectmedium

Which TWO options in dhcpd.conf are used to define the subnet and the address range for dynamic allocation? (Select two.)

Select 2 answers
A.option subnet-mask 255.255.255.0;
B.pool { ... }
C.range 192.168.1.10 192.168.1.100;
D.host fixed-address 192.168.1.200;
E.subnet 192.168.1.0 netmask 255.255.255.0 { ... }
AnswersC, E

Defines the dynamic address pool.

Why this answer

Option C is correct because the `range` directive in `dhcpd.conf` explicitly defines the pool of IP addresses available for dynamic (DHCP) allocation. Option E is correct because the `subnet` declaration specifies the network segment and netmask, creating the context in which the `range` statement must be nested to function. Together, they define both the subnet boundary and the dynamic address pool.

Exam trap

LPI often tests the distinction between the `subnet` declaration (which defines the network boundary) and the `option subnet-mask` statement (which is a client-facing parameter), leading candidates to incorrectly select the option as a definition of the subnet itself.

35
MCQhard

In a PAM configuration file, which control flag is used for modules that are not required but can provide additional functionality?

A.required
B.sufficient
C.requisite
D.optional
AnswerD

Module is not critical; provides additional functionality.

Why this answer

In PAM (Pluggable Authentication Modules) configuration files, the 'optional' control flag indicates that the module's success or failure is not critical to the overall authentication result. It is used for modules that provide additional functionality, such as logging or session recording, without affecting whether access is granted or denied. This allows administrators to add supplementary checks without breaking existing authentication flows.

Exam trap

The trap here is that candidates often confuse 'optional' with 'sufficient' or 'required', thinking that any module that adds functionality must be 'sufficient' to grant access, but 'optional' is specifically for non-critical enhancements that do not alter the authentication decision.

How to eliminate wrong answers

Option A is wrong because 'required' means the module must succeed for authentication to proceed; if it fails, authentication fails immediately, which is not for optional functionality. Option B is wrong because 'sufficient' means that if the module succeeds, authentication is granted immediately, bypassing further modules, which is not for non-essential additions. Option C is wrong because 'requisite' means that if the module fails, authentication fails immediately with no further processing, which is the opposite of optional behavior.

36
MCQmedium

An administrator configures LDAP authentication on a Linux client. After making changes to /etc/nsswitch.conf and /etc/pam.d/system-auth, users can log in but cannot execute commands like 'id username'. What is the most likely cause?

A.LDAP server is not reachable
B.nsswitch.conf lacks 'ldap' for passwd
C.LDAP binddn is missing
D.PAM configuration is incorrect
AnswerB

Id uses passwd map; if not set to ldap, it won't query LDAP.

Why this answer

The 'id username' command relies on the Name Service Switch (NSS) to resolve user and group information from configured sources. If 'ldap' is not listed for the 'passwd' database in /etc/nsswitch.conf, the system will not query the LDAP server for user account details, even though PAM may have been configured to authenticate against LDAP. This mismatch allows login (via PAM) but prevents user attribute lookups (via NSS).

Exam trap

The trap here is that candidates assume LDAP authentication is fully functional because login succeeds, overlooking that NSS and PAM serve distinct roles—PAM handles authentication, while NSS handles user/group information retrieval—and both must be configured independently for LDAP integration to work completely.

How to eliminate wrong answers

Option A is wrong because if the LDAP server were unreachable, both authentication (via PAM) and user lookups (via NSS) would fail, not just the 'id' command. Option C is wrong because a missing LDAP binddn would prevent the client from binding to the LDAP directory, causing both authentication and user lookups to fail, not just the 'id' command. Option D is wrong because incorrect PAM configuration would typically cause authentication failures (login would fail), whereas the problem here is that login succeeds but user attribute lookups fail, pointing to an NSS issue.

37
MCQeasy

Which file is used by the NetworkManager daemon to store connection profiles on a Linux system?

A./etc/NetworkManager/system-connections/
B./etc/sysconfig/network-scripts/
C./etc/netctl/
D./etc/systemd/network/
AnswerA

NetworkManager stores connection profiles as individual files in this directory.

Why this answer

NetworkManager stores per-connection profiles in the `/etc/NetworkManager/system-connections/` directory. Each profile is a keyfile (`.nmconnection` file) containing connection parameters such as SSID, security settings, and IP configuration. When NetworkManager starts or a connection is modified, it reads and writes these files to persist network configurations across reboots.

Exam trap

The trap here is that candidates confuse the NetworkManager connection profile directory with other network configuration directories like the legacy initscripts path (`/etc/sysconfig/network-scripts/`) or systemd-networkd's path (`/etc/systemd/network/`), leading them to pick a plausible but incorrect option based on their distribution's default tools.

How to eliminate wrong answers

Option B is wrong because `/etc/sysconfig/network-scripts/` is used by the legacy `network` service (initscripts) on RHEL/CentOS 6 and earlier, not by NetworkManager. Option C is wrong because `/etc/netctl/` is the configuration directory for `netctl`, a network manager used primarily in Arch Linux, not by NetworkManager. Option D is wrong because `/etc/systemd/network/` is used by `systemd-networkd`, a separate network daemon, not by NetworkManager.

38
MCQhard

Given the mount options shown, which of the following events will cause the NFS mount to become unresponsive (hang)?

A.The NFS server reboots.
B.The network becomes saturated.
C.The client runs out of disk space on /mnt/data.
D.The /mnt/data directory is deleted locally.
AnswerA

With 'hard' mount, the client will continuously retry, causing a hang until the server responds.

Why this answer

When the NFS server reboots, the client's TCP connection to the server is broken. With the `hard` mount option (default), the client will retry indefinitely until the server comes back online, causing all processes accessing the mount to hang (become unresponsive). The `intr` option (if not set) prevents interruption by signals, making the hang persistent until the server responds.

Exam trap

LPI often tests the misconception that network saturation or local disk issues cause NFS hangs, but the key is that only a hard mount with a server reboot (or network partition that breaks the connection) leads to an indefinite hang, while other issues result in errors or retries without freezing the client.

How to eliminate wrong answers

Option B is wrong because network saturation causes timeouts and retransmissions, but with `soft` or `hard` mounts, the client will either return an error (soft) or retry (hard) without hanging indefinitely—only a hard mount with no intr option can cause a permanent hang, and saturation alone does not break the connection. Option C is wrong because the client running out of disk space on /mnt/data affects local writes, but NFS mounts operate over the network; the server's disk space is what matters, and the client's local disk space does not impact NFS responsiveness. Option D is wrong because deleting the /mnt/data directory locally only removes the mount point directory; the NFS mount remains active, and the kernel still has a reference to the superblock, so operations will continue to work (though new accesses via the deleted path may fail with ENOENT, but the mount itself does not hang).

39
MCQmedium

Which file is used to configure the LDAP client for system authentication on a modern Linux system using nss-pam-ldapd?

A./etc/openldap/ldap.conf
B./etc/nsswitch.conf
C./etc/nslcd.conf
D./etc/ldap.conf
AnswerC

Correct file for nslcd daemon.

Why this answer

Option C is correct because /etc/nslcd.conf is the configuration file for nslcd, the LDAP name service daemon used by nss-pam-ldapd to perform LDAP queries for system authentication and user/group lookups. This daemon communicates with the LDAP server and provides the results to NSS and PAM modules, making it the central configuration point for LDAP client authentication on modern Linux systems.

Exam trap

The trap here is that candidates often confuse /etc/nslcd.conf (used by nss-pam-ldapd) with /etc/ldap.conf (used by the older nss_ldap/pam_ldap) or /etc/openldap/ldap.conf (used by OpenLDAP client tools), leading them to select a wrong answer based on familiarity with a different LDAP client stack.

How to eliminate wrong answers

Option A is wrong because /etc/openldap/ldap.conf is the configuration file for the OpenLDAP client libraries (libldap), used by tools like ldapsearch, not by nss-pam-ldapd's nslcd daemon. Option B is wrong because /etc/nsswitch.conf controls the order of name service sources (e.g., files, ldap, dns) but does not contain LDAP server connection parameters or credentials. Option D is wrong because /etc/ldap.conf is the legacy configuration file for the older nss_ldap and pam_ldap packages, not for the modern nss-pam-ldapd implementation.

40
MCQhard

An administrator notices that an NFS mount on a client becomes unresponsive when the NFS server goes offline. The admin wants the mount to return an error to the application after a short timeout instead of hanging indefinitely. Which mount option should be added to the fstab entry?

A.intr
B.bg
C.hard
D.soft
AnswerD

The soft option allows NFS to time out and return an error.

Why this answer

The `soft` mount option causes the NFS client to return an error to the application after a short timeout (typically 60 seconds by default) if the NFS server becomes unresponsive, rather than hanging indefinitely. This is the correct choice because the administrator specifically wants the mount to return an error after a short timeout instead of hanging.

Exam trap

LPI often tests the distinction between `hard` and `soft` mounts, and the trap here is that candidates may confuse `intr` (which only makes hard mounts interruptible) with a timeout-based error return, or think `bg` affects runtime behavior instead of mount-time retries.

How to eliminate wrong answers

Option A is wrong because `intr` (interruptible) allows signals to interrupt NFS operations on a hard mount, but it does not cause the mount to return an error after a timeout; it only makes a hard mount interruptible by user signals. Option B is wrong because `bg` (background) retries the mount in the background if it fails initially, but it does not affect the behavior of an already-mounted filesystem when the server goes offline; it is used for mount retries, not for timeout behavior. Option C is wrong because `hard` causes the NFS client to retry requests indefinitely until the server responds, which results in the application hanging indefinitely — exactly the behavior the administrator wants to avoid.

41
MCQeasy

Which command is used to list the NFS exports available from a specific server?

A.showmount -e server
B.mount -t nfs4 server:/export /mnt
C.nfsstat
D.exportfs -a
AnswerA

showmount with -e lists the exported filesystems from a server.

Why this answer

The `showmount -e server` command queries the NFS server's mount daemon (rpc.mountd) to list the exported filesystems that are currently available. This is the standard method for a client to discover which NFS shares a server is offering, as it directly interrogates the server's export list via the RPC protocol.

Exam trap

The trap here is that candidates often confuse `showmount -e` with `exportfs` (a server-side command) or with `mount` (which requires prior knowledge of the export path), leading them to pick a command that either does not query a remote server or performs a different operation entirely.

How to eliminate wrong answers

Option B is wrong because `mount -t nfs4 server:/export /mnt` is used to mount an NFS share, not to list available exports; it assumes you already know the export path. Option C is wrong because `nfsstat` displays NFS statistics (like RPC call counts and performance data) on the local system, not the export list from a remote server. Option D is wrong because `exportfs -a` is a server-side command that exports or unexports all directories listed in `/etc/exports`; it does not query a remote server for its exports.

42
MCQhard

A user reports that they cannot SSH to a remote server using the usual command 'ssh user@remote.example.com'. The administrator tests and gets 'Permission denied (publickey,gssapi-keyex,gssapi-with-mic)'. The user's public key is in ~/.ssh/authorized_keys on the remote server. The local client has the matching private key. Which step should the administrator take to resolve the issue?

A.Generate a new RSA key pair on the client with ssh-keygen.
B.Run 'ssh-add' to add the private key to the SSH agent.
C.Restart the sshd service on the client.
D.Check /var/log/auth.log on the remote server to see why the key was rejected.
AnswerD

Server logs show the exact reason for key rejection.

Why this answer

The error message indicates that the SSH server rejected all offered authentication methods, including publickey. Since the user's public key is in the remote server's authorized_keys file and the client has the matching private key, the most likely cause is a file permission or SELinux/AppArmor issue on the remote server, or a key format mismatch. Checking /var/log/auth.log on the remote server will show the exact reason for the rejection, such as 'bad permissions' or 'key not recognized', allowing targeted troubleshooting.

Exam trap

The trap here is that candidates assume the key pair is the problem and jump to regenerating keys or using ssh-add, when the real issue is often a server-side configuration or permission problem that can only be diagnosed by examining the remote server's authentication logs.

How to eliminate wrong answers

Option A is wrong because generating a new key pair would not resolve the underlying issue; the existing keys are already correctly placed, and a new pair would require re-adding the public key to authorized_keys. Option B is wrong because ssh-add is only needed if the private key is not loaded into an SSH agent; the user is running ssh directly, not via an agent, and the private key file is present. Option C is wrong because restarting sshd on the client has no effect on the remote server's authentication process; the issue is on the remote server, not the client.

43
MCQeasy

Which directive in dhcpd.conf sets the maximum lease time?

A.option lease-time
B.default-lease-time
C.lease-time
D.max-lease-time
AnswerD

Correct directive for maximum lease time.

Why this answer

Option D is correct because the `max-lease-time` directive in `dhcpd.conf` explicitly sets the maximum lease time (in seconds) that the DHCP server will assign to a client, overriding any client request for a longer lease. This ensures the server enforces an upper bound on lease duration, preventing clients from monopolizing IP addresses indefinitely.

Exam trap

The trap here is that candidates often confuse `default-lease-time` (the fallback when no client request is made) with `max-lease-time` (the absolute ceiling), or assume that lease time is set via an `option` statement similar to other DHCP options like `option subnet-mask`.

How to eliminate wrong answers

Option A is wrong because `option lease-time` is not a valid directive in `dhcpd.conf`; the correct syntax uses `max-lease-time` and `default-lease-time` as top-level parameters, not as options within an `option` statement. Option B is wrong because `default-lease-time` sets the lease time used when the client does not request a specific lease time, not the maximum allowed lease time. Option C is wrong because `lease-time` is not a recognized directive in the ISC DHCP server configuration; the parameter must be explicitly named `max-lease-time` or `default-lease-time`.

44
Multi-Selectmedium

Which TWO tools can be used to configure network interfaces on a Linux system?

Select 2 answers
A.nmcli
B.route
C.ip
D.ifconfig
E.netstat
AnswersA, C

nmcli is the command-line tool for NetworkManager, widely used for network configuration.

Why this answer

A is correct because `nmcli` is the command-line tool for controlling NetworkManager, which is the standard service for managing network interfaces on modern Linux distributions. It allows you to create, modify, and activate or deactivate network connections, making it a primary tool for interface configuration.

Exam trap

The trap here is that candidates often confuse `ifconfig` as a valid configuration tool because of its historical use, but the LPIC-2 exam expects knowledge that it is deprecated and that `ip` and `nmcli` are the correct modern tools.

45
MCQhard

A Linux client is configured with two network interfaces: eth0 (connected to the internet) and eth1 (connected to a private LAN). The default route is set to eth0. The client can access the internet but cannot access hosts on the private LAN. What is the most likely cause?

A.A firewall on the client is blocking ICMP packets on eth1.
B.The eth1 interface is not configured with an IP address.
C.The eth1 interface is not receiving a DHCP lease.
D.There is no route to the private subnet via eth1.
AnswerD

Without a specific route, traffic to the private subnet may be sent to the default gateway (eth0) and fail.

Why this answer

Option D is correct because without a route to the private subnet via eth1, the client has no way to forward packets destined for the private LAN out of eth1. The default route via eth0 only handles traffic for destinations not explicitly matched by other routes; if the private subnet is not in the routing table, packets to that subnet will be sent to the default gateway (internet) and fail. The `ip route` command would show the missing entry, and adding a static route (e.g., `ip route add 192.168.1.0/24 dev eth1`) resolves the issue.

Exam trap

The trap here is that candidates often assume a missing IP address or DHCP lease is the cause, but the question explicitly states the client has two configured interfaces—the real issue is the absence of a route to the private subnet, which is a classic LPIC-2 routing table pitfall.

How to eliminate wrong answers

Option A is wrong because a firewall blocking ICMP on eth1 would prevent ping responses but not necessarily all TCP/UDP traffic to hosts on the private LAN; the question states the client cannot access hosts at all, which points to a routing issue, not a firewall rule. Option B is wrong because if eth1 had no IP address, the interface would not be up or operational, but the scenario implies the interface exists and is configured (otherwise the client would not even attempt to use it); the problem is specifically about missing routing, not missing IP configuration. Option C is wrong because DHCP is not required for a private LAN; static IP configuration is common, and the absence of a DHCP lease would not prevent manual IP assignment or routing—the core issue remains the missing route.

46
Multi-Selecteasy

Which TWO authentication modules can be used with PAM to integrate LDAP authentication on a Linux client?

Select 2 answers
A.pam_unix
B.pam_krb5
C.pam_radius
D.pam_tally2
E.pam_ldap
AnswersB, E

pam_krb5 can be used for Kerberos authentication, often with LDAP.

Why this answer

Option B (pam_krb5) is correct because it allows PAM to authenticate users against a Kerberos KDC, which is commonly used alongside LDAP for single sign-on in enterprise environments. Option E (pam_ldap) is correct because it directly enables PAM to bind to an LDAP directory server for user authentication, typically using the LDAP BIND operation. Both modules are standard choices for integrating LDAP authentication on a Linux client.

Exam trap

The trap here is that candidates may confuse pam_ldap with pam_unix or think pam_radius can be used for LDAP, but the exam expects knowledge of the specific PAM modules designed for directory services and Kerberos integration.

47
MCQmedium

A system administrator notices that a Linux client is unable to resolve hostnames after connecting to a new network. The client uses DHCP and the /etc/resolv.conf file contains only the loopback address 127.0.0.1. Which of the following is the most likely cause?

A.The DHCP server did not provide DNS server information.
B.The /etc/resolv.conf file is a symbolic link to /run/NetworkManager/resolv.conf.
C.The client is configured to use a local DNS resolver such as systemd-resolved or dnsmasq.
D.The /etc/resolv.conf file is not being updated by the DHCP client.
AnswerC

This is correct because local resolvers often set 127.0.0.1 as the nameserver and then forward queries. If the local resolver is misconfigured or not running, resolution fails.

Why this answer

Option C is correct because when /etc/resolv.conf contains only 127.0.0.1, it typically indicates that a local DNS resolver (like systemd-resolved or dnsmasq) is running on the client. These resolvers bind to the loopback address and handle DNS queries locally, often forwarding them to upstream servers provided by DHCP. The client can still resolve hostnames if the local resolver is properly configured to use the DHCP-supplied DNS servers, so the presence of 127.0.0.1 alone does not imply a failure.

Exam trap

The trap here is that candidates assume 127.0.0.1 in /etc/resolv.conf always indicates a misconfiguration or DHCP failure, when in fact it is a deliberate design of local DNS resolvers like systemd-resolved or dnsmasq that proxy queries to upstream servers.

How to eliminate wrong answers

Option A is wrong because if the DHCP server did not provide DNS server information, the /etc/resolv.conf file would likely be empty or contain only default entries, not specifically the loopback address 127.0.0.1. Option B is wrong because a symbolic link to /run/NetworkManager/resolv.conf does not inherently cause the file to contain only 127.0.0.1; NetworkManager typically writes the actual DNS servers obtained via DHCP, not just the loopback address. Option D is wrong because the DHCP client (e.g., dhclient) does update /etc/resolv.conf by default unless explicitly configured not to; the presence of 127.0.0.1 suggests a local resolver is intentionally intercepting DNS, not that the update mechanism is broken.

48
Matchingmedium

Match each NFS version to its feature.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Stateless protocol with 64-bit file handles

Stateful protocol with integrated locking and security

Adds parallel NFS (pNFS) for scalability

Adds server-side copy and sparse file support

Uses Remote Direct Memory Access for low latency

Why these pairings

NFS versions have evolved to improve performance and features.

49
MCQmedium

An administrator configured an autofs direct map for a remote NFS share. The master map at /etc/auto.master contains a line: '/data /etc/auto.direct'. The direct map file /etc/auto.direct has: '/projects -rw,soft fileserver:/exports/projects'. When a user tries to cd /data/projects, it hangs. The autofs service is running. What is the most likely cause?

A.The master map should use '/-' instead of '/data' for direct maps.
B.The NFS server fileserver is not exporting /exports/projects.
C.The autofs service is not started.
D.The 'soft' mount option is missing.
AnswerA

Direct maps require the master map to have a mount point of '/-'.

Why this answer

Direct maps in autofs must use the special mount point '/-' in the master map, not an actual directory path like '/data'. When '/data' is specified, autofs treats it as an indirect map key, causing it to look for a subdirectory matching the key under '/data' rather than triggering the direct mount of '/projects'. This mismatch leads to a hang when the user attempts to access '/data/projects' because autofs never attempts the NFS mount.

Exam trap

The trap here is that candidates often confuse the syntax for direct versus indirect maps in the master map, mistakenly thinking any path can be used for direct maps, when in fact '/-' is a required literal placeholder.

How to eliminate wrong answers

Option B is wrong because even if the NFS export is missing, the hang occurs before any mount attempt due to the master map misconfiguration; a missing export would typically result in a timeout or error after the mount is attempted, not an immediate hang. Option C is wrong because the question explicitly states the autofs service is running, so this is not the cause. Option D is wrong because the 'soft' mount option is already present in the direct map entry; moreover, the hang is not related to mount option behavior but to the fundamental map type misconfiguration.

50
Multi-Selectmedium

Which TWO commands can be used to display the current DNS resolver configuration on a Linux system? (Select TWO.)

Select 3 answers
A.dig localhost
B.nmcli dev show
C.resolvectl status
D.nslookup
E.cat /etc/resolv.conf
AnswersB, C, E

nmcli dev show displays network device details, including DNS configuration if NetworkManager is active.

Why this answer

The `nmcli dev show` command displays detailed network device information, including the DNS resolver configuration managed by NetworkManager. The `resolvectl status` command shows the current DNS resolver state and configuration as managed by systemd-resolved. Both commands are valid for viewing the active DNS resolver settings on a modern Linux system.

Exam trap

The trap here is that candidates often assume `cat /etc/resolv.conf` is always the authoritative source for DNS resolver configuration, but on modern systems with systemd-resolved or NetworkManager, this file may be dynamically generated or a stub, and the actual resolver state is better queried via `resolvectl status` or `nmcli dev show`.

51
Multi-Selectmedium

Given the LDAP client configuration shown in the exhibit, which THREE additional components are required for LDAP authentication to work? (Choose three.)

Select 3 answers
A.Edit /etc/nsswitch.conf to include ldap in passwd, shadow, and group lines.
B.Install and configure autofs.
C.Configure /etc/krb5.conf for Kerberos.
D.Add 'auth sufficient pam_ldap.so' or similar to /etc/pam.d/system-auth.
E.Start the nscd service.
AnswersA, D, E

Necessary to query LDAP for user/group info.

Why this answer

Option A is correct because /etc/nsswitch.conf controls which sources the system uses for user, group, and password lookups. Adding 'ldap' to the passwd, shadow, and group lines directs the Name Service Switch (NSS) to query the LDAP directory for authentication-related information, which is essential for integrating LDAP as an identity source.

Exam trap

The trap here is that candidates often confuse optional components like autofs or Kerberos as mandatory for LDAP authentication, when in fact only NSS, PAM, and caching (nscd) are the core required pieces for basic LDAP authentication to function.

52
MCQmedium

A Linux client is configured to authenticate users against an LDAP server using PAM. Some users are unable to log in, while others succeed. The admin has verified that the LDAP server is reachable and that the user entries exist. Which of the following is the most likely cause?

A.The nsswitch.conf file is missing the 'ldap' entry for 'passwd'.
B.The pam_ldap configuration has a size limit that restricts search results.
C.The LDAP server is using different encryption settings.
D.The nslcd service is not running.
AnswerB

A size limit can cause some valid users to be omitted from search results, leading to intermittent failures.

Why this answer

Option B is correct because the pam_ldap configuration can include a size limit (e.g., 'pam_ldap size_limit 500') that restricts the number of entries returned from an LDAP search. When a user logs in, PAM may perform a search that returns multiple matching entries (e.g., due to ambiguous username or group membership lookups), and if the result set exceeds this limit, the search fails for some users. This explains why some users succeed while others fail, even though the LDAP server is reachable and user entries exist.

Exam trap

The trap here is that candidates often assume all authentication failures are due to network or service issues, but the question specifically states the LDAP server is reachable and user entries exist, so the cause must be a client-side configuration limit that affects only some users, such as a size limit in pam_ldap.

How to eliminate wrong answers

Option A is wrong because the nsswitch.conf file missing the 'ldap' entry for 'passwd' would cause all user lookups to fail, not just some users; it is a system-wide configuration issue. Option C is wrong because different encryption settings between the client and server would typically cause a connection failure for all users, not a partial login issue. Option D is wrong because if the nslcd service is not running, no LDAP authentication would work at all; the fact that some users can log in proves the service is operational.

53
MCQhard

A company has a Linux client running Ubuntu 20.04 that is used by multiple developers. The client has two network interfaces: eth0 (connected to the corporate network with DHCP) and eth1 (connected to a test lab with static IP 192.168.100.10/24). The client needs to access both the internet (via eth0) and the lab network (192.168.100.0/24). The default gateway is 10.0.0.1 on eth0. The lab network has a server at 192.168.100.50 that provides DHCP for the lab devices, but the client's eth1 is statically configured. Recently, the client cannot reach the lab server at 192.168.100.50. The administrator checks the routing table and sees: Kernel IP routing table Destination Gateway Genmask Flags Metric Ref Use Iface 0.0.0.0 10.0.0.1 0.0.0.0 UG 100 0 0 eth0 10.0.0.0 0.0.0.0 255.255.255.0 U 100 0 0 eth0 192.168.100.0 0.0.0.0 255.255.255.0 U 100 0 0 eth1 The administrator can ping 192.168.100.50 from the client. However, the lab server cannot ping the client. What is the most likely cause?

A.The lab server's default gateway is misconfigured.
B.The client's firewall is blocking incoming ICMP echo requests.
C.The client has no route to the lab subnet.
D.The client's default gateway is misconfigured.
AnswerB

The client can initiate traffic but may block incoming connections, preventing the server from pinging back.

Why this answer

The client can ping the lab server (192.168.100.50), proving that outbound traffic from the client to the lab network works correctly. However, the lab server cannot ping the client, which indicates that either the return traffic is blocked or the client does not have a route back to the server. Since the client's routing table shows a direct route to 192.168.100.0/24 via eth1, the issue is not a missing route; instead, the most likely cause is that the client's firewall (e.g., iptables or ufw) is blocking incoming ICMP Echo Requests (ping) on eth1, while allowing outbound traffic.

Exam trap

The trap here is that candidates assume a successful ping from client to server implies full bidirectional connectivity, but they overlook that firewalls often block inbound ICMP while permitting outbound, leading to a one-way communication failure.

How to eliminate wrong answers

Option A is wrong because the lab server's default gateway is irrelevant for reaching the client on the same subnet (192.168.100.0/24); devices on the same broadcast domain communicate directly via ARP, not through a gateway. Option C is wrong because the routing table clearly shows a route to 192.168.100.0/24 via eth1 with a metric of 100, so the client does have a route to the lab subnet. Option D is wrong because the default gateway (10.0.0.1 on eth0) is correctly configured for internet access, and the client can reach the lab server, so the default gateway is not the issue.

54
Multi-Selecteasy

Which TWO configuration files are commonly used to specify DNS resolver settings on a Linux system? (Select TWO.)

Select 2 answers
A./etc/nsswitch.conf
B./etc/systemd/resolved.conf
C./etc/resolv.conf
D./etc/dhcp/dhclient.conf
E./etc/hosts
AnswersB, C

Configuration file for systemd-resolved, which can manage DNS settings.

Why this answer

Option B is correct because /etc/systemd/resolved.conf is the configuration file for systemd-resolved, a service that manages DNS resolution on modern Linux systems. Option C is correct because /etc/resolv.conf is the traditional configuration file for specifying DNS resolver settings, including nameserver addresses and search domains, and is still widely used.

Exam trap

The trap here is that candidates often confuse /etc/nsswitch.conf with DNS resolver configuration, but it only controls the lookup order (e.g., 'hosts: files dns') and does not contain nameserver addresses.

55
MCQeasy

A DHCP client reports it cannot obtain an IP address. The Ethernet cable is connected and the interface is up. The administrator runs 'dhclient eth0' but gets 'No DHCPOFFERS received'. The network has a DHCP server on the same subnet. Which command should the administrator use next to diagnose the problem?

A.Run 'route -n' to see if a default route exists.
B.Run 'netstat -i eth0' to check packet errors.
C.Run 'tcpdump -i eth0 port 67 or port 68' to monitor DHCP packets.
D.Run 'ifconfig eth0' to check the interface status.
AnswerC

Captures DHCP traffic to identify issue.

Why this answer

Option C is correct because the client is not receiving DHCPOFFERs, indicating a network-level issue with DHCP traffic. Using tcpdump to capture packets on ports 67 (BOOTP server) and 68 (BOOTP client) allows the administrator to see if DHCPDISCOVER packets are leaving the client and whether any DHCPOFFER packets arrive from the server. This directly isolates whether the problem is a lack of server response, packet filtering, or a misconfigured relay agent.

Exam trap

The trap here is that candidates often jump to checking interface status or routing, but the core issue is that DHCP is a broadcast-based protocol on the local link, so packet capture is the definitive way to verify whether the client's DISCOVER is reaching the server and whether the server's OFFER is returning.

How to eliminate wrong answers

Option A is wrong because route -n shows the routing table, but the client is on the same subnet as the DHCP server, so routing is not involved in the initial DHCP handshake. Option B is wrong because netstat -i eth0 checks interface statistics like packet errors, but the interface is already confirmed up and connected, and packet errors would not prevent DHCPOFFERs from being received. Option D is wrong because ifconfig eth0 checks interface status, which the administrator already verified is up; repeating this command provides no new diagnostic information about DHCP traffic.

56
Multi-Selecteasy

Which TWO daemons are commonly used by DHCP clients on Linux to obtain an IP address? (Choose two.)

Select 2 answers
A.dhclient
B.dhcpcd
C.dhcrelay
D.dhcpd
E.tcpdump
AnswersA, B

ISC DHCP client.

Why this answer

dhclient is the default DHCP client for many Linux distributions, including those based on Red Hat and Debian. It uses the DHCP protocol (RFC 2131) to discover, request, and lease an IP address from a DHCP server, configuring the network interface accordingly.

Exam trap

The trap here is confusing DHCP client daemons (dhclient, dhcpcd) with DHCP server or relay daemons (dhcpd, dhcrelay), as candidates may misidentify the role of each daemon based on similar naming conventions.

57
MCQeasy

Refer to the exhibit. A user on the client tries to ping 'server1' and gets an unknown host error. What is the most likely cause?

A.The DNS server has no record for 'server1.example.com'.
B.The search domain is missing.
C.The DNS server IP is incorrect.
D.Only one nameserver is specified, causing a timeout.
AnswerA

The resolver will try to resolve 'server1.example.com' due to the search domain; if no record exists, it fails.

Why this answer

The error 'unknown host' indicates that the client's DNS resolution failed for the hostname 'server1'. Since the client likely uses a fully qualified domain name (FQDN) lookup or appends a search domain, the most common cause is that the DNS server does not have an A or AAAA record for 'server1.example.com'. Without a matching record, the resolver returns NXDOMAIN, leading to the 'unknown host' error.

Exam trap

The trap here is that candidates often confuse a DNS resolution failure due to a missing record (NXDOMAIN) with network connectivity issues or misconfigured resolvers, leading them to choose options like incorrect DNS server IP or timeout, when the actual cause is a lack of a DNS record for the queried hostname.

How to eliminate wrong answers

Option B is wrong because a missing search domain would cause the resolver to fail to append a domain suffix, but the client could still resolve 'server1' if it were a short name and the search list were empty; the error here is 'unknown host' for a name that likely includes the domain, so the search domain is not the primary issue. Option C is wrong because if the DNS server IP were incorrect, the client would typically get a 'connection timed out; no servers could be reached' error, not an 'unknown host' error, as the resolver would fail to contact any nameserver. Option D is wrong because having only one nameserver does not inherently cause a timeout; a timeout occurs only if that single server is unreachable, which would produce a different error message (e.g., 'Temporary failure in name resolution'), not 'unknown host'.

58
Multi-Selecthard

Which THREE conditions can cause a Linux DHCP client to fail to obtain an IP address? (Select THREE.)

Select 3 answers
A.A firewall on the client is blocking UDP port 67 (DHCP server).
B.The DHCP server is configured with a different subnet than the client's broadcast domain.
C.The DHCP server's address pool is exhausted.
D.The DHCP server has MAC address filtering enabled and the client's MAC is not allowed.
E.The client interface is configured with a static IP address.
AnswersA, C, D

DHCP uses UDP ports 67 and 68; blocking port 67 prevents the client from receiving DHCPOFFER messages.

Why this answer

Option A is correct because a client-side firewall blocking UDP port 67 prevents the DHCP client from receiving DHCPOFFER and DHCPACK messages from the server. DHCP uses UDP ports 67 (server) and 68 (client); blocking port 67 on the client disrupts inbound server responses, causing the client to fail to obtain an IP address.

Exam trap

The trap here is that candidates often assume a subnet mismatch (Option B) always prevents DHCP, but DHCP servers can offer addresses from different subnets if configured appropriately, and the client can accept them; the real failure condition is when the server cannot respond at all, such as with exhausted pools or MAC filtering.

59
MCQeasy

A client mounts the export with 'mount -t nfs server:/data /mnt/data' and root on the client can write files. Which option in /etc/exports allows root to retain its privileges?

A.root_squash
B.no_root_squash
C.rw
D.async
AnswerB

Root squashing is disabled, so root retains UID 0.

Why this answer

Option B (no_root_squash) is correct because it prevents the NFS server from mapping the client's root user (UID 0) to the anonymous 'nobody' user. By default, NFS exports use root_squash, which maps root to an unprivileged user for security. With no_root_squash, the client's root retains UID 0 on the server, allowing write access to files owned by root on the export.

Exam trap

The trap here is that candidates often confuse 'rw' (which enables write access) with the ability to retain root privileges, not realizing that root_squash is a separate, default mechanism that overrides rw for UID 0.

How to eliminate wrong answers

Option A (root_squash) is wrong because it is the default behavior that maps root to the anonymous user (typically 'nobody' or 'nfsnobody'), stripping root privileges — the opposite of what the question asks. Option C (rw) is wrong because it only grants read-write access to the export; it does not control UID mapping or root privilege retention. Option D (async) is wrong because it controls whether the server replies to write requests before data is written to stable storage, affecting performance and data integrity, not user privilege mapping.

60
MCQmedium

To ensure LDAP communication is encrypted, an administrator configures LDAP over SSL (LDAPS) on port 636. Which configuration file on the client should be modified to specify the LDAP server with TLS?

A./etc/pam_ldap.conf
B./etc/openldap/ldap.conf
C./etc/nsswitch.conf
D./etc/ldap/ldap.conf
AnswerD

This is the standard LDAP client configuration file.

Why this answer

Option D is correct because the LDAP client configuration file on Linux systems is typically located at /etc/ldap/ldap.conf (or /etc/openldap/ldap.conf on some distributions). This file is used by LDAP client libraries (e.g., libldap) to specify the LDAP server URI, including the use of TLS/SSL via the ldaps:// scheme or the TLS_REQCERT directive. Modifying this file allows the client to connect to an LDAP server over port 636 with encryption.

Exam trap

The trap here is that candidates often confuse the client configuration file path between distributions (e.g., /etc/openldap/ldap.conf vs. /etc/ldap/ldap.conf) or mistakenly choose /etc/pam_ldap.conf because it deals with authentication, but the question specifically asks for the file to specify the LDAP server with TLS, which is the generic client LDAP configuration file.

How to eliminate wrong answers

Option A is wrong because /etc/pam_ldap.conf is used by the PAM LDAP module for authentication configuration, not for specifying the LDAP server URI or TLS settings for general LDAP client operations. Option B is wrong because /etc/openldap/ldap.conf is the correct path on distributions using OpenLDAP (e.g., Red Hat, CentOS), but the question specifies /etc/ldap/ldap.conf as the correct answer, which is the path on Debian-based systems; however, the trap is that both paths exist, but the question explicitly marks D as correct, so B is not the intended answer. Option C is wrong because /etc/nsswitch.conf controls the order of name resolution services (e.g., files, ldap, dns) and does not contain LDAP server connection details or TLS configuration.

61
Multi-Selecthard

Which TWO are true about the autofs automounter configuration? (Choose two.)

Select 2 answers
A.Autofs mounts remain indefinitely once accessed.
B.Autofs uses /etc/fstab to define automount points.
C.The master configuration file is /etc/auto.master.
D.Autofs can only be used with NFS filesystems.
E.Direct maps are useful for mount points that are not under /net or /home.
AnswersC, E

Defines mount points and maps.

Why this answer

Option C is correct because the autofs automounter uses /etc/auto.master as its master configuration file. This file defines the base directories for automount points and references subordinate map files (e.g., /etc/auto.home) that specify the actual mount details. The automounter daemon (automount) reads this master file to determine which directories to manage and how to mount filesystems on demand.

Exam trap

The trap here is that candidates often confuse the master configuration file with /etc/fstab or assume autofs is NFS-only, while the exam tests knowledge of the specific master file (/etc/auto.master) and the flexibility of autofs to handle multiple filesystem types and map styles.

62
MCQmedium

A user authenticates via LDAP successfully, but 'getent passwd' only shows local users. What is the problem?

A.The ldap entry should be before files.
B.The LDAP server is not responding for passwd queries.
C.The shadow map is missing LDAP.
D.The nscd cache needs to be cleared.
AnswerB

If the server doesn't respond, getent falls back to files after files.

Why this answer

Option B is correct because the user can authenticate via LDAP (which typically uses the 'auth' or 'account' NSS modules) but 'getent passwd' only shows local users, indicating that the NSS 'passwd' map is not querying the LDAP server. This means the LDAP server is either unreachable for passwd queries or the NSS configuration for the 'passwd' database is misconfigured (e.g., missing 'ldap' in /etc/nsswitch.conf for passwd). The successful authentication suggests the LDAP server is reachable for authentication purposes, but the passwd map query fails, often due to a separate LDAP server or service issue specific to user/group lookups.

Exam trap

The trap here is that candidates assume successful authentication implies all LDAP services are working, but LPIC-2 tests the distinction between NSS maps (passwd, group) and PAM modules (auth, account), where a failure in the passwd map query does not prevent authentication if the LDAP server responds to bind requests.

How to eliminate wrong answers

Option A is wrong because placing 'ldap' before 'files' in /etc/nsswitch.conf would change the order of lookups but would not cause 'getent passwd' to show only local users if the LDAP server is actually responding; the problem is that the LDAP server is not responding for passwd queries, not the order. Option C is wrong because the shadow map (for password hashes) is irrelevant to 'getent passwd', which displays user account information from the passwd database, not shadow entries; missing LDAP in shadow would affect authentication, not the passwd listing. Option D is wrong because clearing the nscd cache would only help if stale cached data were causing the issue, but the scenario describes a complete absence of LDAP users in the output, which indicates the LDAP server is not responding for passwd queries, not a caching problem.

63
MCQmedium

Refer to the exhibit. A client with MAC address 08:00:27:ab:cd:ef on the 192.168.1.0/24 network receives IP 192.168.2.10 instead of an IP from the 192.168.1.0 subnet. What is the most likely explanation?

A.The relay agent is misconfigured and forwards requests to the wrong subnet.
B.The client's network interface is set to a static IP address.
C.The server's host declaration assigns a fixed-address from a different subnet.
D.The client sent a DHCP request with an incorrect subnet mask.
AnswerC

Correct. The host entry for the client's MAC assigns an IP from 192.168.2.0, overriding the subnet automation.

Why this answer

The host declaration for MAC 08:00:27:ab:cd:ef assigns a fixed-address of 192.168.2.10, which belongs to a different subnet. This overrides the dynamic range assignment, causing the client to receive an IP outside its expected subnet. Other options are less likely because the server log would not show a request causing this cross-subnet assignment without the host entry.

64
MCQhard

A system administrator configures a Linux client to authenticate users via an LDAP directory directory for user login. The LDAP server is located on a remote network across a WAN link with moderate latency. Authentication succeeds, but user logins take 10-15 seconds to complete, causing delays. The LDAP server logs show low CPU usage and minimal queries per second. The client has not yet implemented any local caching services. The administrator wants to reduce the login delay without compromising security. What should the administrator do?

A.Disable LDAP TLS encryption to reduce cryptographic overhead.
B.Change the file ownership of /etc/pam.d/common-auth to root to force direct LDAP reads.
C.Enable nscd (Name Service Cache Daemon) to cache passwd, group, and services lookups.
D.Increase the number of LDAP server threads to handle concurrent requests faster.
AnswerC

Correct. nscd caches name service requests, including LDAP queries, drastically reducing the number of WAN round-trips and speeding up authentication.

Why this answer

Enabling nscd caches user and group information, which reduces the number of LDAP queries and significantly speeds up logins. Other options are less effective or introduce security risks. Increasing server threads does not address client-side delays.

Disabling TLS is a security risk. Changing file ownership is irrelevant.

65
MCQhard

A Linux server exports a directory /data via NFS to a client. The client mounts it with 'mount -t nfs server:/data /mnt/data'. Write operations from the client fail with 'Permission denied' on some files. The server's /etc/exports contains: /data 192.168.1.0/24(rw,root_squash). What is the most likely issue?

A.NFS version mismatch
B.root_squash maps root to nobody
C.Client mount option 'noexec'
D.Missing 'rw' option in /etc/exports
AnswerB

Root on client is mapped to nobody, lacking ownership permissions.

Why this answer

The 'root_squash' option in /etc/exports maps the UID 0 (root) on the client to the 'nobody' user (typically UID 65534) on the server. When a client user with UID 0 attempts to write to files owned by other users or with restrictive permissions, the server sees the request as coming from 'nobody', which lacks write access, resulting in 'Permission denied'. This is the most likely cause because the client mount command does not specify 'no_root_squash', and the server's export explicitly enables root squashing.

Exam trap

The trap here is that candidates often confuse 'root_squash' with a missing 'rw' option or assume a version mismatch, when in fact the permission error on writes by root is the classic symptom of root squashing being active.

How to eliminate wrong answers

Option A is wrong because NFS version mismatch would typically cause mount failures or protocol errors, not 'Permission denied' on write operations to specific files. Option C is wrong because 'noexec' prevents execution of binaries, not file writes; it is a client-side mount option that does not affect write permissions. Option D is wrong because the /etc/exports line already includes 'rw', so the 'rw' option is present and not missing.

66
MCQeasy

An administrator wants to restrict access to a service using PAM. Which file order determines the authentication flow for a service?

A./etc/pam.d/<service-name>
B./etc/nsswitch.conf
C./etc/security/access.conf
D./etc/pam.conf
AnswerA

Each service has its own PAM configuration file in /etc/pam.d/.

Why this answer

PAM (Pluggable Authentication Modules) uses per-service configuration files located in /etc/pam.d/ to define the authentication flow. When a service (e.g., sshd, login) calls PAM, it reads the file named after the service (e.g., /etc/pam.d/sshd) to determine the order of modules (auth, account, password, session) and their control flags (required, requisite, sufficient, optional). This file-based approach allows fine-grained, service-specific authentication policies.

Exam trap

The trap here is that candidates confuse the PAM service configuration directory (/etc/pam.d/) with the legacy monolithic /etc/pam.conf or with unrelated system configuration files like /etc/nsswitch.conf or /etc/security/access.conf, which serve entirely different purposes in the authentication or name resolution pipeline.

How to eliminate wrong answers

Option B is wrong because /etc/nsswitch.conf controls the order of name resolution (e.g., hosts, passwd, group) via NSS (Name Service Switch), not PAM authentication flow. Option C is wrong because /etc/security/access.conf is a configuration file for the pam_access module, which restricts login access based on user/group/host, but it does not define the overall authentication flow for a service. Option D is wrong because /etc/pam.conf is a legacy monolithic configuration file for PAM on some older systems (e.g., Solaris), but on modern Linux systems, the per-service files in /etc/pam.d/ take precedence and are the standard; /etc/pam.conf is not used by default and would not be the primary file for a specific service.

67
MCQeasy

The DHCP client lease file shows a lease for 192.168.1.100. If the client fails to contact the original DHCP server by the rebind time (12:00), what will occur?

A.The client will continue to use the address until the expire time without any further attempts.
B.The client will immediately release the address.
C.The client will rebind with a new IP address from any server.
D.The client will attempt to contact any DHCP server to extend the lease.
AnswerD

After rebind, the client broadcasts to any DHCP server for a lease extension.

Why this answer

When a DHCP client reaches the rebind time (T2, default 87.5% of lease duration) without contacting the original server, it enters the REBINDING state. In this state, the client broadcasts a DHCPREQUEST to any available DHCP server to extend the lease. Option D correctly describes this behavior, as defined in RFC 2131.

Exam trap

The trap here is confusing the rebind time (T2) with the expire time (T3), leading candidates to think the client releases or stops using the address immediately, when in fact it broadcasts to any server for a lease extension.

How to eliminate wrong answers

Option A is wrong because the client does not passively wait until expiration; it actively attempts to rebind with any server after the rebind time. Option B is wrong because the client only releases the address at the expire time (T3), not at the rebind time. Option C is wrong because the client does not request a new IP address; it requests an extension of its current lease (same IP) from any responding server.

68
MCQeasy

Which of the following is a valid NTP configuration file directive to specify a broadcast client?

A.peer
B.server
C.broadcast
D.broadcastclient
AnswerD

Correct directive for broadcast client.

Why this answer

Option D is correct because the `broadcastclient` directive in an NTP configuration file instructs the NTP daemon to listen for NTP broadcast messages on the local network. This is the standard way to configure a client to synchronize time from a broadcast server without specifying individual server addresses.

Exam trap

The trap here is that candidates confuse the server-side `broadcast` directive with the client-side `broadcastclient` directive, assuming the same keyword applies to both roles.

How to eliminate wrong answers

Option A is wrong because `peer` configures symmetric active association for mutual time synchronization between two NTP servers, not for a client listening to broadcasts. Option B is wrong because `server` specifies a unicast NTP server address for direct client-server polling, not a broadcast client mode. Option C is wrong because `broadcast` is used on the server side to enable sending NTP broadcast packets, not on the client side to receive them.

69
MCQmedium

Which directive in ntp.conf enables the NTP server to respond to queries from clients?

A.broadcast
B.peer
C.restrict
D.server
AnswerC

Controls client access via restrict rules.

Why this answer

The `restrict` directive in ntp.conf controls access to the NTP server, including whether it responds to client queries. By default, NTP servers restrict all access; adding a `restrict` line with the `nomodify` and `notrap` flags (or no restrictive flags) allows clients to query the server. Option C is correct because `restrict` is the directive that explicitly permits or denies NTP queries from clients.

Exam trap

The trap here is that candidates confuse `server` (which configures the local daemon as a client to an upstream server) with the directive that controls whether the local daemon responds to clients, when in fact `restrict` is the access control mechanism.

How to eliminate wrong answers

Option A is wrong because `broadcast` configures the NTP server to send broadcast or multicast packets to clients, not to respond to client queries; it is a one-way announcement mode. Option B is wrong because `peer` configures symmetric active association with another NTP server for mutual synchronization, not to respond to client queries. Option D is wrong because `server` configures the local NTP daemon to synchronize to an upstream NTP server, not to respond to client queries.

70
Multi-Selecthard

Which THREE files are commonly involved in configuring a Linux client for LDAP authentication?

Select 3 answers
A./etc/hosts
B./etc/resolv.conf
C./etc/pam.d/system-auth
D./etc/ldap.conf
E./etc/nsswitch.conf
AnswersC, D, E

PAM configuration file that includes pam_ldap or pam_krb5.

Why this answer

Option C is correct because /etc/pam.d/system-auth (or its equivalent, such as /etc/pam.d/common-auth on Debian-based systems) is the central PAM configuration file that defines authentication modules. For LDAP authentication, the pam_ldap module is typically stacked here to allow LDAP-based user credential verification, making it essential for integrating LDAP into the system's authentication flow.

Exam trap

The trap here is that candidates often confuse /etc/resolv.conf or /etc/hosts as being part of LDAP client configuration, but these files handle network resolution, not authentication or identity lookup configuration.

71
Multi-Selectmedium

Which TWO commands can be used to query a DHCP server's lease database on a Linux server running ISC DHCP? (Assume default paths.) (Select two.)

Select 2 answers
A.dhcpd -t
B.cat /var/lib/dhcp/dhcpd.leases
C.dhcp-lease-list
D.less /etc/dhcp/dhcpd.conf
E.dhcpd -p
AnswersB, C

Lease database file.

Why this answer

Option B is correct because the ISC DHCP server stores its lease database in a plain-text file at `/var/lib/dhcp/dhcpd.leases` by default. Reading this file with `cat` directly displays all active and expired leases, including IP addresses, MAC addresses, and lease durations. Option C is correct because `dhcp-lease-list` is a utility that parses the same lease file and presents the data in a formatted, human-readable table.

Exam trap

The trap here is that candidates confuse the lease database file with the configuration file, or assume that command-line flags like `-t` or `-p` are used for lease queries, when in fact they serve entirely different purposes (syntax testing and port selection).

72
MCQeasy

Which protocol does Samba implement to provide file sharing services to Windows clients?

A.HTTP
B.AFP
C.SMB
D.NFS
AnswerC

Samba uses SMB/CIFS to interoperate with Windows clients.

Why this answer

Samba implements the SMB (Server Message Block) protocol, specifically the CIFS variant, to provide file and printer sharing services to Windows clients. SMB operates over TCP port 445 (direct hosting) or NetBIOS over TCP/IP (ports 137-139), enabling cross-platform file access in mixed Linux/Windows environments.

Exam trap

The trap here is that candidates often confuse SMB with NFS because both are network file-sharing protocols, but NFS is native to Unix/Linux and lacks the Windows-specific features (e.g., NetBIOS, RAP, named pipes) that Samba implements via SMB.

How to eliminate wrong answers

Option A is wrong because HTTP (Hypertext Transfer Protocol) is a stateless application protocol for web content transfer, not designed for file sharing with Windows SMB semantics or authentication. Option B is wrong because AFP (Apple Filing Protocol) is Apple's proprietary protocol for macOS file sharing, not used by Windows clients. Option D is wrong because NFS (Network File System) is a Unix/Linux-centric protocol (RFC 1813, 3530) that lacks the native authentication and locking mechanisms required by Windows clients.

73
Drag & Dropmedium

Arrange the steps to perform a disaster recovery from a full system backup using tar.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

Boot into rescue, prepare disks, mount, extract backup, then reboot.

74
MCQmedium

A Linux client is experiencing slow name resolution. The /etc/nsswitch.conf file has the line 'hosts: files dns'. The /etc/hosts file contains many entries. What is the most effective way to improve resolution speed?

A.Increase the DNS timeout in /etc/resolv.conf
B.Change the nsswitch.conf line to 'hosts: dns files'
C.Install and configure nscd (Name Service Cache Daemon)
D.Remove all entries from /etc/hosts except localhost
AnswerB

Checking DNS first avoids reading the large hosts file for most queries, improving resolution speed for external names.

Why this answer

Option B is correct because the current order 'hosts: files dns' causes the resolver to check the entire /etc/hosts file first for every query, which is slow when the file contains many entries. Reversing the order to 'hosts: dns files' makes the resolver query DNS first, which is typically faster for most lookups, and only falls back to the local file if DNS fails. This directly addresses the bottleneck without requiring additional services or data removal.

Exam trap

The trap here is that candidates assume removing entries from /etc/hosts or adding a caching daemon will fix the speed issue, when the real problem is the lookup order in nsswitch.conf, which directly controls whether the resolver checks a potentially large local file before querying DNS.

How to eliminate wrong answers

Option A is wrong because increasing the DNS timeout in /etc/resolv.conf would make resolution slower, not faster, as it extends the wait time for DNS responses. Option C is wrong because installing nscd adds overhead and does not change the order of resolution; it caches results but still processes the entire /etc/hosts file first when 'files' is listed before 'dns'. Option D is wrong because removing entries from /etc/hosts is unnecessary and may break local name resolution for static mappings; the issue is the lookup order, not the file's content size.

75
MCQhard

A DHCP server is configured to serve multiple subnets but only clients on one subnet receive IP addresses. The server is connected to a router that does not forward DHCP broadcasts. What should be configured to support the other subnets?

A.Add more subnet declarations to the DHCP server
B.Set up a DHCP relay agent on the other subnets
C.Add 'shared-network' declarations
D.Configure the router to act as a DHCP server
AnswerB

A relay forwards DHCP broadcasts across routers.

Why this answer

The router does not forward DHCP broadcasts, so clients on other subnets cannot reach the DHCP server. A DHCP relay agent (e.g., `dhcrelay` or `ip helper-address`) intercepts broadcast requests on those subnets and forwards them as unicast to the DHCP server, allowing the server to assign addresses from the appropriate subnet pools. This is the standard solution per RFC 1542 when routers do not support BOOTP forwarding.

Exam trap

The trap here is that candidates often think adding more subnet declarations or using shared-network directives will fix the issue, but the core problem is the lack of broadcast forwarding, which only a relay agent can solve.

How to eliminate wrong answers

Option A is wrong because adding more subnet declarations to the DHCP server does not solve the problem of broadcast packets not reaching the server from remote subnets; the server already has the necessary subnet declarations, but the clients cannot communicate. Option C is wrong because 'shared-network' declarations are used when multiple subnets share the same physical network segment (e.g., for load balancing), not for routing DHCP broadcasts across separate subnets. Option D is wrong because configuring the router to act as a DHCP server would change its role entirely and is unnecessary; the correct approach is to enable DHCP relay on the router or a separate agent to forward broadcasts, not to replace the existing server.

Page 1 of 2 · 81 questions totalNext →

Ready to test yourself?

Try a timed practice session using only Network Client Management questions.