Cannot start Postgresql 9.3 as a service in Windows 2012 Server with a domain account
First, we have tried many suggestions found in this and other sites. But the
problem has not been solved.
When trying to start postgresql as a service with a domain account on a
windows 2012 server, the service starts and stops immediately. The Windows
event log showed a terse error about timeout (even though it did not really
take more than a couple of seconds for it to fail). By the way, the server
is in an internal data center and does not have open access to public
Internet.
We have made sure that the domain account has FULL access to all the
directories under and including the installation directory (the domain
account is NOT in the administrator group). We have made sure the domain
account has the permission to "log on as a service" in Windows Local
Security Policy. In fact, we can even use this domain account to start
postgresql from command line - "pg_ctl -U xxxx -P yyyy -D.... start" but it
just won't work when trying to start postgresql as a service. We have tried
to install postgresql under a separate drive (not the default c drive), and
it did not help.
We can start postgresql as a service if we use the local system account or
the default NETWORK SERVICE account.
We have uninstalled (and removed cleanly) / reinstalled postgresql a number
of times, have tried to install it under administrator mode, but none
helped.
Any help will be greatly appreciated.
John
--
View this message in context: http://postgresql.1045698.n5.nabble.com/Cannot-start-Postgresql-9-3-as-a-service-in-Windows-2012-Server-with-a-domain-account-tp5806847.html
Sent from the PostgreSQL - general mailing list archive at Nabble.com.
On 11/06/2014 17:05, boca2608 wrote:
First, we have tried many suggestions found in this and other sites. But
the problem has not been solved.When trying to start postgresql as a service with a domain account on a
windows 2012 server, the service starts and stops immediately. The
Windows event log showed a terse error about timeout (even though it did
not really take more than a couple of seconds for it to fail). By the
PostgreSQL's own logs should have some more detail - the event log entry
is indeed terse, PG writes all the interesting stuff to its own log.
Ray.
--
Raymond O'Donnell :: Galway :: Ireland
rod@iol.ie
--
Sent via pgsql-general mailing list (pgsql-general@postgresql.org)
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-general
Thanks Ray. But unfortunately, there is no log entry in the postgresql log
(as in the data/pg_log folder). The log file is empty. I checked the log
before and after the error.
Thanks,
John
--
View this message in context: http://postgresql.1045698.n5.nabble.com/Cannot-start-Postgresql-9-3-as-a-service-in-Windows-2012-Server-with-a-domain-account-tp5806847p5806999.html
Sent from the PostgreSQL - general mailing list archive at Nabble.com.
--
Sent via pgsql-general mailing list (pgsql-general@postgresql.org)
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-general
Krystian Bigaj replied this in a separate email, which led to some
interesting information that I would like to share in this mailing list.
He suggested the use of the "Process Monitor" app to log the process events
during the startup of the service and look for "ACCESS DENIED" errors. Here
is what I found. During the startup, there were indeed several ACCESS
DENIED errors:
Date & Time: 6/12/2014 9:27:41 AM
Event Class: Registry
Operation: RegOpenKey
Result: ACCESS DENIED
Path: HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution
Options
TID: 1964
Duration: 0.0000451
Desired Access: Query Value, Enumerate Sub Keys
Date & Time: 6/12/2014 9:27:41 AM
Event Class: Registry
Operation: RegOpenKey
Result: ACCESS DENIED
Path: HKLM\System\CurrentControlSet\Control\Session Manager
TID: 1964
Duration: 0.0000364
Desired Access: Read
Date & Time: 6/12/2014 9:27:41 AM
Event Class: File System
Operation: CreateFile
Result: ACCESS DENIED
Path: C:\Windows\System32
TID: 1964
Duration: 0.0000409
Desired Access: Execute/Traverse, Synchronize
Disposition: Open
Options: Directory, Synchronous IO Non-Alert
Attributes: n/a
ShareMode: Read, Write
AllocationSize: n/a
Date & Time: 6/12/2014 9:27:41 AM
Event Class: File System
Operation: QueryOpen
Result: ACCESS DENIED
Path: D:\PostgreSQL\9.3\bin\ssleay32.dll
TID: 1964
Duration: 0.0000270
I do not know how to give someone permission to a particular registry entry.
But I suspect that the inability to access system32 might be the cause of
the failure to start the service. But when I tried to add the domain user
to the permission for system32 (READ & EXECUTE), Windows would not allow me
to proceed. Has anybody seen such issues? Any help would be greatly
appreciated.
Thanks,
John
--
View this message in context: http://postgresql.1045698.n5.nabble.com/Cannot-start-Postgresql-9-3-as-a-service-in-Windows-2012-Server-with-a-domain-account-tp5806847p5807002.html
Sent from the PostgreSQL - general mailing list archive at Nabble.com.
--
Sent via pgsql-general mailing list (pgsql-general@postgresql.org)
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-general
-----Original Message-----
From: pgsql-general-owner@postgresql.org [mailto:pgsql-general-
owner@postgresql.org] On Behalf Of boca2608
Sent: Thursday, June 12, 2014 10:00 AM
To: pgsql-general@postgresql.org
Subject: [GENERAL] Re: Cannot start Postgresql 9.3 as a service in Windows
2012 Server with a domain accountKrystian Bigaj replied this in a separate email, which led to some interesting
information that I would like to share in this mailing list.He suggested the use of the "Process Monitor" app to log the process events
during the startup of the service and look for "ACCESS DENIED" errors. Here
is what I found. During the startup, there were indeed several ACCESS
DENIED errors:Date & Time: 6/12/2014 9:27:41 AM
Event Class: Registry
Operation: RegOpenKey
Result: ACCESS DENIED
Path: HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File
Execution Options
TID: 1964
Duration: 0.0000451
Desired Access: Query Value, Enumerate Sub KeysDate & Time: 6/12/2014 9:27:41 AM
Event Class: Registry
Operation: RegOpenKey
Result: ACCESS DENIED
Path: HKLM\System\CurrentControlSet\Control\Session Manager
TID: 1964
Duration: 0.0000364
Desired Access: ReadDate & Time: 6/12/2014 9:27:41 AM
Event Class: File System
Operation: CreateFile
Result: ACCESS DENIED
Path: C:\Windows\System32
TID: 1964
Duration: 0.0000409
Desired Access: Execute/Traverse, Synchronize
Disposition: Open
Options: Directory, Synchronous IO Non-Alert
Attributes: n/a
ShareMode: Read, Write
AllocationSize: n/aDate & Time: 6/12/2014 9:27:41 AM
Event Class: File System
Operation: QueryOpen
Result: ACCESS DENIED
Path: D:\PostgreSQL\9.3\bin\ssleay32.dll
TID: 1964
Duration: 0.0000270I do not know how to give someone permission to a particular registry entry.
But I suspect that the inability to access system32 might be the cause of the
failure to start the service. But when I tried to add the domain user to the
permission for system32 (READ & EXECUTE), Windows would not allow me to
proceed. Has anybody seen such issues? Any help would be greatly
appreciated.Thanks,
John
I missed the beginning of this thread.
Is there a specific reason NOT to use local account for Postgres service?
Regards,
Igor Neyman
--
Sent via pgsql-general mailing list (pgsql-general@postgresql.org)
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-general
On 12/06/2014 14:51, boca2608 wrote:
Thanks Ray. But unfortunately, there is no log entry in the postgresql log
(as in the data/pg_log folder). The log file is empty. I checked the log
before and after the error.
OK. You may need to enable logging (though I thought the EnterpriseDB
installer had it enabled by default) - have a look at postgresql.conf,
which ought to be in the data/ directory, and see what's in the section
entitled "Error reporting and logging".
My laptop installation (Postgres 9.3 on Windows 7) currently has the
following (all set by the aforementioned installer) -
log_destination = 'stderr'
logging_collector = on
log_directory = 'pg_log'
log_filename = 'postgresql-%Y-%m-%d_%H%M%S.log'
- and the log files are being created in data/pg_log as expected.
HTH,
Ray.
--
Raymond O'Donnell :: Galway :: Ireland
rod@iol.ie
--
Sent via pgsql-general mailing list (pgsql-general@postgresql.org)
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-general
On 12 June 2014 15:59, boca2608 <boca2608@gmail.com> wrote:
Krystian Bigaj replied this in a separate email, which led to some
interesting information that I would like to share in this mailing list.He suggested the use of the "Process Monitor" app to log the process events
during the startup of the service and look for "ACCESS DENIED" errors.
Here
is what I found. During the startup, there were indeed several ACCESS
DENIED errors:Date & Time: 6/12/2014 9:27:41 AM
Event Class: Registry
Operation: RegOpenKey
Result: ACCESS DENIED
Path: HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File
Execution
Options
TID: 1964
Duration: 0.0000451
Desired Access: Query Value, Enumerate Sub KeysI had similar problem (but
with initdb.exe).
Solution in your case is to add BUILTIN\Users group to your "postgres"
account (this which you will use to start PG service).
Let me know if this helps.
PS. Don't change permissions on registry/file, because you will end up with
a mess :)
Of course your PG data directory must have Full access for postgress
account. Also your binaries must have a Read+Execute access for postgress.
In most cases adding that BUILTIN\Users group to postgress will work, but I
had a case, where end-user installed our software on drive where Users
group had Deny permissions.
To sum it all:
- directory with your pgdata - Full access for postgress account
- PG installation dir (so parent of bin) - Read+Execute for postgress
account
- postgres account must be member of BUILTIN\Users (!)
- if you are redirecting Log to other directory, then this dir also have to
Full access for postgres account.
(I'm using "NT AUTHORITY\NetworkService" account)
Best regards,
Krystian Bigaj
(re-posting, because I've used Reply, instead of Reply all, thanks)
On 11 June 2014 18:05, boca2608 <boca2608@gmail.com> wrote:
When trying to start postgresql as a service with a domain account on a
windows 2012 server, the service starts and stops immediately. The Windows
event log showed a terse error about timeout (even though it did not really
take more than a couple of seconds for it to fail). By the way, the server
is in an internal data center and does not have open access to public
Internet.If you don't have (error) logs from PG then you could try to use Process
Monitor, set filter for postgres.exe process, and start service. Look for
errors in Result with eg. ACCESS_DENIED.
I've had some clients that had few different issues, and all of them was
because of permissions issues (sometimes postgres.exe fails, sometimes
initdb.exe fails). Setting correct permissions solved all of that problems.
PS. I'm running PG under NetworkService account, but I'm not using
installer from EDB or even pg_ctl (shutdown code is buggy, but it's a
postgres.exe issue).
Best regards,
Krystian Bigaj
Igor,
Our network security policy requires that such database services run under a
dedicated domain account. (Postgresql does run successfully under local
system account and the default NETWORK SERVICE account.)
Thanks,
John
From: Igor Neyman [via PostgreSQL]
[mailto:ml-node+s1045698n5807004h89@n5.nabble.com]
Sent: Thursday, June 12, 2014 10:06 AM
To: boca2608
Subject: Re: Cannot start Postgresql 9.3 as a service in Windows 2012 Server
with a domain account
-----Original Message-----
From: [hidden email] [mailto:pgsql-general-
[hidden email]] On Behalf Of boca2608
Sent: Thursday, June 12, 2014 10:00 AM
To: [hidden email]
Subject: [GENERAL] Re: Cannot start Postgresql 9.3 as a service in Windows
2012 Server with a domain account
Krystian Bigaj replied this in a separate email, which led to some
interesting
information that I would like to share in this mailing list.
He suggested the use of the "Process Monitor" app to log the process
events
during the startup of the service and look for "ACCESS DENIED" errors.
Here
is what I found. During the startup, there were indeed several ACCESS
DENIED errors:Date & Time: 6/12/2014 9:27:41 AM
Event Class: Registry
Operation: RegOpenKey
Result: ACCESS DENIED
Path: HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File
Execution Options
TID: 1964
Duration: 0.0000451
Desired Access: Query Value, Enumerate Sub KeysDate & Time: 6/12/2014 9:27:41 AM
Event Class: Registry
Operation: RegOpenKey
Result: ACCESS DENIED
Path: HKLM\System\CurrentControlSet\Control\Session Manager
TID: 1964
Duration: 0.0000364
Desired Access: ReadDate & Time: 6/12/2014 9:27:41 AM
Event Class: File System
Operation: CreateFile
Result: ACCESS DENIED
Path: C:\Windows\System32
TID: 1964
Duration: 0.0000409
Desired Access: Execute/Traverse, Synchronize
Disposition: Open
Options: Directory, Synchronous IO Non-Alert
Attributes: n/a
ShareMode: Read, Write
AllocationSize: n/aDate & Time: 6/12/2014 9:27:41 AM
Event Class: File System
Operation: QueryOpen
Result: ACCESS DENIED
Path: D:\PostgreSQL\9.3\bin\ssleay32.dll
TID: 1964
Duration: 0.0000270I do not know how to give someone permission to a particular registry
entry.
But I suspect that the inability to access system32 might be the cause of
the
failure to start the service. But when I tried to add the domain user to
the
permission for system32 (READ & EXECUTE), Windows would not allow me to
proceed. Has anybody seen such issues? Any help would be greatly
appreciated.Thanks,
John
I missed the beginning of this thread.
Is there a specific reason NOT to use local account for Postgres service?
Regards,
Igor Neyman
--
Sent via pgsql-general mailing list ([hidden email])
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-general
_____
If you reply to this email, your message will be added to the discussion
below:
http://postgresql.1045698.n5.nabble.com/Cannot-start-Postgresql-9-3-as-a-ser
vice-in-Windows-2012-Server-with-a-domain-account-tp5806847p5807004.html
To unsubscribe from Cannot start Postgresql 9.3 as a service in Windows 2012
Server with a domain account, click here
<http://postgresql.1045698.n5.nabble.com/template/NamlServlet.jtp?macro=unsu
bscribe_by_code&node=5806847&code=Ym9jYTI2MDhAZ21haWwuY29tfDU4MDY4NDd8LTM4MT
MwNzE4MA==> .
<http://postgresql.1045698.n5.nabble.com/template/NamlServlet.jtp?macro=macr
o_viewer&id=instant_html%21nabble%3Aemail.naml&base=nabble.naml.namespaces.B
asicNamespace-nabble.view.web.template.NabbleNamespace-nabble.view.web.templ
ate.NodeNamespace&breadcrumbs=notify_subscribers%21nabble%3Aemail.naml-insta
nt_emails%21nabble%3Aemail.naml-send_instant_email%21nabble%3Aemail.naml>
NAML
--
View this message in context: http://postgresql.1045698.n5.nabble.com/Cannot-start-Postgresql-9-3-as-a-service-in-Windows-2012-Server-with-a-domain-account-tp5806847p5807022.html
Sent from the PostgreSQL - general mailing list archive at Nabble.com.
From: pgsql-general-owner@postgresql.org [mailto:pgsql-general-owner@postgresql.org] On Behalf Of boca2608
Sent: Thursday, June 12, 2014 11:05 AM
To: pgsql-general@postgresql.org
Subject: [GENERAL] Re: Cannot start Postgresql 9.3 as a service in Windows 2012 Server with a domain account
Igor,
Our network security policy requires that such database services run under a dedicated domain account. (Postgresql does run successfully under local system account and the default NETWORK SERVICE account.)
Thanks,
John
I see.
So, did you try to explicitly make this domain account member of local Users group?
Regards,
Igor
--
Sent via pgsql-general mailing list (pgsql-general@postgresql.org)
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-general
After adding the domain user account into the local users group, the
postgresql service can be started successfully now. We will do more testing
to make sure that all postgresql functions are working. But I want to give
my big thanks to Krystian Bigaj, Igor Neyman and Raymond O'Donnell for
offering timely help and making this user mailing list a great resource to
the postgresql user community.
Thanks,
John
--
View this message in context: http://postgresql.1045698.n5.nabble.com/Cannot-start-Postgresql-9-3-as-a-service-in-Windows-2012-Server-with-a-domain-account-tp5806847p5807040.html
Sent from the PostgreSQL - general mailing list archive at Nabble.com.
--
Sent via pgsql-general mailing list (pgsql-general@postgresql.org)
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-general
-----Original Message-----
From: pgsql-general-owner@postgresql.org [mailto:pgsql-general-
owner@postgresql.org] On Behalf Of boca2608
Sent: Thursday, June 12, 2014 12:33 PM
To: pgsql-general@postgresql.org
Subject: [GENERAL] Re: Cannot start Postgresql 9.3 as a service in Windows
2012 Server with a domain accountAfter adding the domain user account into the local users group, the
postgresql service can be started successfully now. We will do more testing
to make sure that all postgresql functions are working. But I want to give my
big thanks to Krystian Bigaj, Igor Neyman and Raymond O'Donnell for
offering timely help and making this user mailing list a great resource to the
postgresql user community.Thanks,
John
Just a heads-up:
These domain/network security people like to change accounts' passwords on regular basis, in which case your local Postgres service will stop working.
Pay attention.
Regards,
Igor
--
Sent via pgsql-general mailing list (pgsql-general@postgresql.org)
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-general