202-450 Questions and Answers

According to the configuration, the postmaster address is set to postmaster@domain.com. This means that any system-generated messages or notifications sent to the administrator of this domain will use this address as the sender. The postmaster address is also used to receive messages from external senders who need to contact the administrator for any reason, such as reporting spam or abuse. The postmaster address is a mandatory requirement for any mail server, as specified by the RFC 5321 standard. References:

• LPIC-2 exam 202 objectives, topic 207.3, Manage the postfix mail system
• RFC 5321, section 4.5.1, Postmaster Role

 The mydestination parameter in the Postfix main.cf configuration file specifies the list of domains that are delivered via the $local_transport mail delivery transport. This means that Postfix will accept mail for those domains and deliver it to local mailboxes. To accept mail for both the old and new domain names, the mydestination parameter should include both domains, separated by commas. For example:

mydestination = olddomain.com, newdomain.com, localhost

This will allow Postfix to accept mail for user@olddomain.com and user@newdomain.com and deliver it to the same local user mailbox.

References:

• LPIC-2 Exam 202 Objectives, Objective 205.3: Managing a postfix server
• Postfix Basic Configuration, Postfix Documentation
• Postfix Configuration Parameters: mydestination, Postfix Documentation
• How to configure Postfix to receive mail for multiple domains, Server Fault

The LDIF excerpt shows the distinguished name (dn) of Robert Smith as “cn=Robert Smith, ou=people, dc=example, dc=com”. The organizational unit (ou) attribute is used to represent an organizational unit in which an entry resides. In this case, Robert Smith is part of the “people” organizational unit.

References:

• [OpenLDAP Software 2.6 Administrator’s Guide: The LDIF File Format]: The official documentation of OpenLDAP on the LDIF file format, which explains the syntax and structure of LDIF entries and attributes.
• [LDAP Data Interchange Format (LDIF) - Version 1]: The RFC 2849 document that defines the LDAP Data Interchange Format (LDIF), which is a common format for exchanging LDAP data.

 TSIG stands for Transaction SIGnature, which is a mechanism for authenticating DNS messages using a shared secret key and a cryptographic hash algorithm. TSIG can be used to secure DNS updates, zone transfers, and queries between DNS servers and clients. To configure a BIND server to use TSIG, the following parameters should be added to the named.conf file:

• A key statement that defines the name, algorithm, and secret of the TSIG key. The name can be any arbitrary string, the algorithm can be one of the supported algorithms such as hmac-md5, hmac-sha1, hmac-sha256, etc., and the secret can be a base64-encoded string that represents the shared secret key. For example:

key “server.example.com” { algorithm hmac-md5; secret “skrKc4DoTzi/takIlPi7JZA==”; };

• A server statement that specifies the IP address or hostname of the remote server that will use the TSIG key, and the name of the key that should be used for communication. For example:

server 192.168.1.10 { keys { “server.example.com”; }; };

• A zone statement that indicates the zone name, type, and file of the zone that will use TSIG, and the name of the key that should be used for updates or transfers. For example:

zone “example.com” { type master; file “example.com.zone”; allow-update { key “server.example.com”; }; allow-transfer { key “server.example.com”; }; };

Option E shows the correct configuration parameters that should be added if the server should use the algorithm hmac-md5 and the key skrKc4DoTzi/takIlPi7JZA==. The other options are incorrect because they either use the wrong syntax, the wrong algorithm, the wrong key name, or the wrong secret.

References:

• LPIC-2 exam 202 objectives, topic 208.2, “Securing a DNS server”
• BIND 9 Administrator Reference Manual, chapter 6, “Access Control Lists and TSIG”
• How to Configure DNS Server with TSIG on CentOS 8

The standard port used by OpenVPN is 1194. OpenVPN is a VPN daemon that supports SSL/TLS security, ethernet bridging, TCP or UDP tunnel transport, and other features. OpenVPN can be configured to listen on any port, but the default port is 1194, which is registered with the IANA for OpenVPN. The port number can be specified in the OpenVPN configuration file using the port directive. For example:

port 1194

This will instruct OpenVPN to listen on port 1194. The port number must match on both the server and the client sides of the connection. The port number can also be specified as an argument to the openvpn command. For example:

openvpn --port 1194

This will run OpenVPN with port 1194 as the default port.

References:

• Reference Manual For OpenVPN 2.6 | OpenVPN
• Reference Manual For OpenVPN 2.0 | OpenVPN
• Which ports to open for VPN PPTP, L2TP, IPsec, OpenVPN and … - ITIGIC

The .htaccess file in the directory is configured to require a valid user. The .htpasswd file contains the username and password for usera. Therefore, usera can access the site using the password s3cr3t. References:

• LPIC-2 Overview
• LPIC-2 202-450
• Password Protecting Your Pages with htaccess

The newaliases command is a Postfix command that can be used to rebuild all of the alias database files with a single invocation and without the need for any command line arguments. The newaliases command is equivalent to running the postalias command on each file specified by the alias_database parameter in the Postfix main.cf configuration file. The newaliases command reads the text files that contain the alias definitions and creates the indexed files in dbm or db format that are used for fast lookup by the mail system. The newaliases command should be executed whenever the alias database is changed, in order to update the indexed files. For example:

newaliases

The other commands are not equivalent to the newaliases command. The makealiases command is not a valid Postfix command. The postalias command can be used to rebuild a single alias database file, but it requires the file name as an argument. The postmapbuild command is not a valid Postfix command.

References:

• LPIC-2 Exam 202 Objectives, Objective 205.3: Managing a postfix server
• Postfix Basic Configuration, Postfix Documentation
• Postfix manual - aliases(5), Postfix Documentation
• Postfix manual - newaliases(1), Postfix Documentation
• Postfix manual - postalias(1), Postfix Documentation

The excerpt from an LDIF file shows the attributes of an LDAP object that represents a person named John Smith. The dn attribute is the distinguished name, which uniquely identifies the object in the LDAP directory. The dn is composed of one or more relative distinguished names (RDNs), which are attribute-value pairs separated by commas. In this case, the dn has three RDNs: cn=John Smith, ou=People, and dc=example. The cn attribute is the common name, which is a human-readable name for the object. The ou attribute is the organizational unit, which is a container for grouping objects. The dc attribute is the domain component, which is used to form the domain name of the directory. The o attribute is the organization name, which is an optional attribute that can be used to specify the name of the organization that the object belongs to. The objectClass attribute is a multi-valued attribute that specifies the object classes that the object belongs to. Each object class has a schema that defines the mandatory and optional attributes that the object can have. In this case, the object belongs to two object classes: inetOrgPerson and organizationalPerson. The inetOrgPerson object class is a standard object class for representing people in an Internet directory. The organizationalPerson object class is a standard object class for representing people who belong to an organization. The sn attribute is the surname, which is a mandatory attribute for the inetOrgPerson and organizationalPerson object classes. The mail attribute is the email address, which is an optional attribute for the inetOrgPerson and organizationalPerson object classes. References:

• Understanding the LDAP Protocol, Data Hierarchy, and Entry Components
• LDAP Object Classes
• LDIF File (What It Is and How to Open One) - Lifewire
• Examining the LDIF File Format - IRI

The dig command in the image shows that the reverse DNS lookup for the IP address 192.168.0.1 failed to return the expected hostname linuserv.example.net. Instead, it returned linuserv.example.net.example.net, which indicates that the PTR record in the reverse lookup zone file is missing a dot (.) at the end of the hostname. Without the dot, the hostname is treated as relative to the zone name, which is example.net. Therefore, the correct syntax for the PTR record in the reverse lookup zone file should be:

1.168.192.in-addr.arpa. IN PTR linuserv.example.net.

The dot at the end of the hostname makes it absolute, meaning it does not append the zone name to it. This way, the reverse DNS lookup will return the correct hostname for the IP address123 References:

• Reverse DNS Lookup - WhatIsMyIP.com®
• DNS PTR Records - DNSimple Help
• How to Configure Reverse DNS for BIND in WHM - cPanel Knowledge Base - cPanel Documentation

What is a DNS PTR Record? PTR Record Syntax & Examples - PowerDMARC

The root directive in Nginx defines the file system path from which the content of the server is retrieved. It can be placed in the http, server, or location contexts. The root directive specifies the root directory that will be used to search for a file. To obtain the path of a requested file, Nginx appends the request URI to the path specified by the root directive. For example, if the root directive is set to /var/www/html and the request URI is /index.php, Nginx will look for the file /var/www/html/index.php. References: Serving Static Content | NGINX DocumentationUnderstanding and Implementing FastCGI Proxying in Nginx

 A glue record is a DNS record that provides the IP address of a nameserver that is a subdomain of the domain being queried. For example, if the domain example.com has nameservers ns1.example.com and ns2.example.com, then the .com nameservers will provide glue records for ns1.example.com and ns2.example.com, along with the NS records for example.com. This way, the resolver can find the IP address of the nameservers without having to query them first, which would create a circular dependency12

The format of a glue record is:

nameserver A IP address

where nameserver is the hostname of the nameserver, A is the record type for IPv4 address, and IP address is the IPv4 address of the nameserver3

Therefore, the only option that matches this format is A. ns1.lab A 198.51.100.53. The other options are either missing the record type, the IP address, or the dot after the nameserver name4 References:

• DNS Tools - Glue Records
• What Is Glue Record: Everything You Wanted To Know
• Glue Records and Dedicated DNS - NS1, an IBM Company
• DNS Record Types - DNSimple Help

Glue Records and Dedicated DNS - NS1, an IBM Company

 The fastcgi_pass directive is used to proxy requests to a FastCGI application in Nginx. It specifies the address of the FastCGI server or the path of the Unix-domain socket that will accept FastCGI requests. For example:

location ~ \.php$ { include fastcgi_params; fastcgi_pass 127.0.0.1:9000; }

This configuration will pass any requests ending with .php to the FastCGI server listening on 127.0.0.1:9000.

The other options are not valid directives in Nginx. There is no fastcgi_proxy, proxy_fastcgi, proxy_fastcgi_pass, or fastcgi_forward directive. The proxy_pass directive is used to proxy requests to a HTTP server, not a FastCGI application.

References:

• Module ngx_http_fastcgi_module - nginx
• FastCGI Example | NGINX
• Understanding and Implementing FastCGI Proxying in Nginx

 The ldappasswd command is an OpenLDAP client tool that can be used to change the password for an LDAP entry. It can be used to change the password of the user who is binding to the LDAP server, or the password of another user if the bind user has sufficient privileges. The ldappasswd command requires the user to specify the LDAP server location, the bind DN and password, the old password, and the new password. The old and new passwords can be given on the command line, through prompts, or from files. The ldappasswd command can also use SASL authentication mechanisms instead of simple authentication. The ldappasswd command follows the general syntax of:

ldappasswd [options] [user]

where user is the DN of the entry whose password is to be changed. If omitted, the bind DN is used.

References:

• LPIC-2 Exam 202 Objectives, Objective 207.3: LDAP Operations
• How To Change Account Passwords on an OpenLDAP Server, DigitalOcean
• ldappasswd: change the password of an LDAP entry, openldap-clients Manual Page
• How To Change an OpenLDAP Password, Tyler’s Guides

Sieve is a language for filtering and sorting email messages on a mail server. Sieve core filters are the basic actions that can be applied to a message that matches a set of conditions. The following actions are available in Sieve core filters:

• discard: This action discards the message silently, without sending any notification to the sender or the recipient. This action is useful for deleting spam or unwanted messages.
• fileinto: This action delivers the message to a specified mailbox. The mailbox can be an existing one or a new one that is created by the action. This action is useful for organizing messages into different folders based on their content or headers.
• reject: This action rejects the message and sends a notification to the sender with a specified reason. The message is not delivered to the recipient. This action is useful for informing the sender that the message was not accepted due to some policy or error.

The other options are not valid actions in Sieve core filters. drop, relay, and fileinto are not recognized keywords by Sieve.

References:

• Sieve: An Email Filtering Language, section 2.10, “Actions”
• Sieve Tutorial, section 4, “Actions”

The Require directive in mod_authz_core selects which authenticated users can access a resource. The directive takes one or more arguments that specify the authorization provider and the criteria for granting access. Some of the built-in authorization providers are:

• all: This provider matches all users, regardless of the criteria. It can be used to grant or deny access to everyone. For example, Require all granted allows access to everyone, while Require all denied denies access to everyone.
• ip: This provider matches the client IP address against a list of IP addresses, network/netmask pairs, or CIDR specifications. It can be used to allow or deny access based on the client’s location. For example, Require ip 192.168.1.0/24 allows access only to clients from the 192.168.1.0/24 subnet.
• host: This provider matches the client hostname against a list of domain names. It can be used to allow or deny access based on the client’s DNS name. For example, Require host example.com allows access only to clients whose hostname ends with example.com.
• local: This provider matches the client IP address against the server IP address. It can be used to allow or deny access based on whether the client is local or remote. For example, Require local allows access only to clients that connect to the server via the loopback interface.
• user: This provider matches the authenticated username against a list of usernames. It can be used to allow or deny access based on the user identity. For example, Require user alice bob allows access only to users alice and bob.
• group: This provider matches the authenticated user’s group membership against a list of groups. It can be used to allow or deny access based on the user’s group affiliation. For example, Require group admins allows access only to users who belong to the admins group.
• valid-user: This provider matches any authenticated user, regardless of the username. It can be used to allow or deny access based on the user authentication status. For example, Require valid-user allows access to any user who can provide valid credentials.
• expr: This provider evaluates an expression and grants or denies access based on the result. It can be used to implement complex logic based on various variables and functions. For example, Require expr "%{REQUEST_METHOD} == 'GET' && %{TIME_HOUR} < 12" allows access only to GET requests made before noon.
• method: This provider matches the request method against a list of methods. It can be used to allow or deny access based on the type of request. For example, Require method GET POST allows access only to GET and POST requests.
• regex: This provider matches the request URI against a regular expression. It can be used to allow or deny access based on the pattern of the request. For example, Require regex ^/admin/.* allows access only to requests that start with /admin/.

Therefore, the correct strings that can be used as an argument to Require are B, C, and E. Statement A is false because method is not a valid argument to Require, but a separate authorization provider. Statement D is false because header is not a valid argument to Require, but a variable that can be used in an expression.

References:

• mod_authz_core - Apache HTTP Server Version 2.4
• Access Control - Apache HTTP Server Version 2.4

Samba cannot use /etc/passwd and /etc/shadow directly because they store passwords in a different format than CIFS. CIFS passwords are encrypted using a one-way hash function, while Unix passwords are encrypted using a two-way cipher. Therefore, Samba needs a separate password file that stores the CIFS passwords in a compatible format. This file is usually called smbpasswd and can be created or updated using the smbpasswd command123 References:

• Chapter 9. Users and Security - Samba
• smbpasswd - Samba
• Chapter 20. samba authentication - linux-training.be

Chapter 9. Users and Security - Samba3

Chapter 9. Users and Security - Samba

The command in the question is using the ldapsearch tool to query an LDAP directory. The filter expression is (|(cn=marie)(!(telephoneNumber=9*))), which means to match entries that satisfy either one of the two conditions inside the parentheses. The first condition is (cn=marie), which means the common name attribute (cn) of the entry is equal to marie. The second condition is (!(telephoneNumber=9*)), which means the telephone number attribute (telephoneNumber) of the entry is not equal to 9 followed by any number of characters. The ! operator means logical negation, and the * operator means wildcard matching. Therefore, the command will return entries that have a cn of marie or don’t have a telephoneNumber beginning with 9. References: LPIC-2 202 exam objectives, LDAP Search Filters

 The line A is valid in a configuration file in /etc/pam.d/ because it follows the correct syntax and semantics of a PAM configuration file. The syntax of a PAM configuration file is:

module_interface control_flag module_name module_arguments

The module_interface specifies the type of authentication action that the module can perform. There are four types of module interface: auth, account, password, and session. The control_flag specifies how important the success or failure of the module is to the overall authentication process. There are four types of control flag: required, requisite, sufficient, and optional. The module_name specifies the name of the library that contains the module. The module_arguments are optional parameters that can modify the behavior of the module.

The line A has the following components:

• module_interface: auth, which means the module is used for user authentication.
• control_flag: required, which means the module must succeed for authentication to continue. If the module fails, the failure is recorded and the rest of the modules are executed.
• module_name: pam_unix.so, which means the module is the standard Unix authentication module that verifies the user’s password against the /etc/passwd and /etc/shadow files.
• module_arguments: try_first_pass nullok, which means the module tries to use the password that was previously entered by the user (if any), and allows users with empty passwords to log in.

The line B is invalid because it has the wrong order of the fields. The control_flag should come before the module_name, not after. The line C is invalid because it uses parentheses and colons instead of spaces to separate the fields. The line D is invalid because it has the wrong syntax for the control_flag. The control_flag should be a single word, not a word in parentheses.

The listen directive in a Nginx server configuration block defines the TCP ports on which the virtual host will be available, and which protocols it will use. The listen directive takes one or more parameters, such as the port number, the IP address, and the protocol name. For example, the following directive tells Nginx to listen for HTTP requests on port 80 on all network interfaces:

listen 80;

The following directive tells Nginx to listen for HTTPS requests on port 443 on the 192.0.2.1 IP address:

listen 192.0.2.1:443 ssl;

The following directive tells Nginx to listen for both TCP and UDP traffic on port 53 on the 192.0.2.2 IP address:

listen 192.0.2.2:53 udp tcp;

The listen directive can also take some options, such as default_server, which specifies that the server block should act as the default server for the given port, or backlog, which sets the maximum number of pending connections for the socket.

References:

• Server Block Examples | NGINX
• NGINX Docs | Configuring HTTP Servers
• Which directive in a Nginx server configuration block defines the TCP ports on which the virtual host will be available, and which protocols it will use?

Sieve filters are usually applied to an email when the email is delivered to a mailbox by a mail delivery agent (MDA) or a local delivery agent (LDA). Sieve filters are scripts that can perform various actions on incoming emails, such as sorting them into folders, assigning labels, forwarding, rejecting, or discarding them. Sieve filters are executed on the server side, and they are independent of the mail user agent (MUA) or the mail access protocol. This means that the email filtering is consistent across different email clients and devices. Sieve filters are not applied when the email is relayed by an SMTP server, received by an SMTP smarthost, sent to the first server by an MUA, or retrieved by an MUA. These are different stages of the email delivery process, but they do not involve the final delivery of the email to a mailbox.

References:

• LPIC-2 Exam 202 Objectives, Objective 205.4: Managing a dovecot server
• Sieve filter (advanced custom filters) | Proton
• start - Sieve.Info
• What is Sieve Filtering? - Knowledge Base - Pair Networks

 The host allow option in the smb.conf file specifies the hosts or networks that are allowed to access the Samba server. The hosts can be specified by name, IP address, or network address with a netmask. The host allow option can also include the special name localhost, which refers to the local machine. The host allow option can be overridden by the host deny option, which specifies the hosts or networks that are denied access to the Samba server. The host deny option has a higher priority than the host allow option.

In this question, the host allow option is set to 192.168.1.100 192.168.2.0/24 localhost, which means that only the host with the IP address 192.168.1.100, the hosts on the network 192.168.2.0/24 (from 192.168.2.1 to 192.168.2.254), and the local machine can access the Samba server. This explains why a wireless laptop with an IP address 192.168.2.93 can access the Samba server, but a workstation on the wired network with an IP address 192.168.1.177 cannot. Almost every machine on the wired network is unable to access the Samba server because they are not included in the host allow option.

To fix this problem, the host allow option should be changed to include the entire wired network, which is assumed to be 192.168.1.0/24 (from 192.168.1.1 to 192.168.1.254). This can be done by using the network address and the netmask, or by using a range of IP addresses. The host allow option should also keep the wireless network and the localhost in the list, so that the existing access is not denied. Therefore, the correct answer is E. host allow = 192.168.1.0/255.255.255.0 192.168.2.0/255.255.255.0 localhost. This will allow any host on either network, or the local machine, to access the Samba server, without denying access to anyone else.

The Samba service that handles the membership of a file server in an Active Directory domain is winbindd. Winbindd is a daemon that provides a number of services to the Name Service Switch (NSS) capability of the system, such as resolving user and group information from a Windows NT server and authentication. Winbindd can also be used to join a Samba file server to an Active Directory domain and authenticate domain users to access the file shares12 References:

• Chapter 4. Using Samba for Active Directory Integration Red Hat Enterprise Linux 7 - Red Hat Customer Portal
• Winbind: Use of Domain Accounts - SambaWiki

 DHCPv6 supports three types of IPv6 address assignments:

• Individual address assignment (IA_NA): This is the stateful mode of DHCPv6, where the DHCPv6 server assigns a normal IPv6 address to a client that can be renewed or released. The address is chosen from a pool of prefixes configured on the server and is unique and non-duplicate. The client can request one or more addresses using the IA_NA option in the DHCPv6 messages1
• Temporary address assignment (IA_TA): This is similar to the IA_NA mode, but the addresses assigned are temporary and cannot be renewed or released. The temporary addresses are used for privacy reasons and are generated by the client using a random interface identifier. The client can request one or more temporary addresses using the IA_TA option in the DHCPv6 messages2
• Prefix delegation (IA_PD): This is the mode where the DHCPv6 server delegates a whole IPv6 prefix to a client, such as a router or a host, that can use it for further subnetting or routing. The client can request one or more prefixes using the IA_PD option in the DHCPv6 messages. The delegated prefixes are also chosen from a pool of prefixes configured on the server3

References: 1: IP Addressing: DHCP Configuration Guide - IPv6 Access Services: DHCPv6 Individual Address Assignment 2: RFC 4941 - Privacy Extensions for Stateless Address Autoconfiguration in IPv6 3: IP Addressing: DHCP Configuration Guide - IPv6 Access Services: DHCPv6 Prefix Delegation

The netfilter table that contains built-in chains called INPUT, OUTPUT and FORWARD is the filter table. The filter table is the default table for netfilter and iptables, and it is used to filter packets based on their source, destination, protocol, port, state, etc. The filter table has three built-in chains, which correspond to the netfilter hooks that trigger them:

• INPUT: This chain is used to process incoming packets that are destined for the local system. The packets must have passed through the PREROUTING chain and the routing decision before reaching this chain.
• OUTPUT: This chain is used to process outgoing packets that are originated from the local system. The packets must have passed through the routing decision before reaching this chain.
• FORWARD: This chain is used to process packets that are neither originated from nor destined for the local system, but are routed through the system. The packets must have passed through the PREROUTING and POSTROUTING chains and the routing decision before reaching this chain.

The filter table can have user-defined chains as well, which can be created with the -N option of the iptables command. User-defined chains can be used to organize rules and simplify the management of the firewall. Rules can be added to any chain in the filter table with the -A option of the iptables command, and they can specify the target action to take if the packet matches the rule. The target can be one of the following:

• ACCEPT: This target allows the packet to pass through the chain and continue to the next netfilter hook.
• DROP: This target drops the packet and stops its processing.
• REJECT: This target drops the packet and sends back an error message to the sender.
• LOG: This target logs the packet information to the kernel log and continues to the next rule in the chain.
• RETURN: This target returns from the current chain to the calling chain, or to the default policy if there is no calling chain.
• A user-defined chain name: This target jumps to the user-defined chain and executes its rules until a terminal target (ACCEPT, DROP, REJECT, or RETURN) is reached or the end of the chain is reached.

References:

• A Deep Dive into Iptables and Netfilter Architecture
• Iptables Tutorial 1.2.2
• How To List and Delete Iptables Firewall Rules

To fully disable password based logins for SSH, you need to set both Challenge Response Authentication and Password Authentication to no in the sshd configuration file. These options control whether the server will accept password-based authentication methods such as keyboard-interactive or PAM. Setting them to no will only allow public key authentication or other methods that do not involve passwords. References:

• LPIC-2 Exam 202 Objectives1
• LPIC-2 Exam 202 Study Guide2
• LPIC-2 Exam 202 Topic 208: SSH Configuration3

DNSSEC adds digital signatures to DNS records, which can be verified by the clients using public keys. This way, DNSSEC ensures that the DNS responses are authentic and have not been tampered with by attackers. DNSSEC does not encrypt DNS queries or answers, nor does it authenticate the user or the nameserver123

What is DNSSEC on DNS Server in Windows Server?1

How DNSSEC Works | Cloudflare

The Samba configuration parameter writeable is a synonym for the parameter read only. It has the opposite meaning, so setting writeable=no is equivalent to setting read only=yes. This parameter controls whether a user has the ability to create or modify files within a share12 References:

• LPIC-2 Overview
• LPIC-2 202-450
• smb.conf - Samba
• Samba share permissions simplified - nixCraft

 The command exportfs is used to configure which file systems a NFS server makes available to clients. The exportfs command maintains a table of exported file systems in the /etc/exports file, which specifies the directories to be shared and the options for each host or network. The exportfs command can also be used to add, remove, or refresh the exported file systems without restarting the NFS service123 References:

• 8.6. Configuring the NFS Server - Red Hat Customer Portal
• How to configure NFS on Linux - Learn Linux Configuration
• How to configure Network File System on Linux | Enable Sysadmin

DANE stands for DNS-based Authentication of Named Entities. It is a protocol that provides a way to verify the association of X 509 certificates to DNS host names. X 509 certificates are digital documents that contain the public key and identity information of an entity, such as a web server or an email server. They are used to establish secure connections and authenticate the identity of the entity. However, the traditional way of obtaining and validating X 509 certificates relies on a hierarchical system of trusted third parties, called certificate authorities (CAs), which can be vulnerable to attacks or compromise. DANE aims to enhance the security and trust of X 509 certificates by using DNSSEC, which is a set of extensions to DNS that provide cryptographic signatures and validation for DNS records. DANE allows the owner of a domain name to publish the X 509 certificate or its fingerprint in a DNS record, called a TLSA record, which can be verified by the DNSSEC chain of trust. This way, the client can check the authenticity of the certificate directly from the DNS, without relying on external CAs. DANE can also be used to specify which CAs are authorized to issue certificates for a domain name, or to indicate that no CA is needed at all. DANE can be applied to various protocols that use X 509 certificates, such as HTTPS, SMTP, IMAP, POP3, etc.

References:

• DANE - Wikipedia
• DNS-Based Authentication of Named Entities (DANE) - Internet Society
• DANE: Taking TLS Authentication to the Next Level Using DNSSEC

To create a hidden Samba share, similar to the Windows Administration Share, the share name must end with a dollar sign ().Thiswillpreventthesharefrombeinglistedinthebrowselist,butitcanstillbeaccessedbytypingthefullsharename.OptionAshowsanexampleofahiddenSambasharenamedconfidential, with some additional parameters to configure the share. Option B is incorrect because the share name does not end with a dollar sign. Option C is incorrect because the share name is not enclosed in brackets. Option D is incorrect because the share name contains a space, which is not allowed. Option E is incorrect because the share name is not a valid file name12 References:

• Hiding samba share from browse list for unauthorised users
• Creating a samba share where everyone has write access