Error starting service on Win2k
I have installed 8.0-beta2-dev3 on Win2k but the service will not start.
Firstly, I couldn't install postgresql as a Windows service using the installer - using the installer, I couldn't add postgresql as a Windows service without being a local administrator. However, if I was logged on as a local admin then the service would install but there was an error reported later on saying that the server wouldn't run because I was administrator (don't have a log of that error, sorry).
So I logged on as a regular user and used the installer to install postgresql but NOT as a service. Then I logged on as an admin, created a regular user account and used pg_ctl.exe to install the service under that account. When I start the service the Windows service manager reports that the service failed to start. The Application event log shows the following error (though NB the user account is a regular user, not a "Power User" or "Administrator"):
Event Type: Error
Event Source: PostgreSQL
Event Category: None
Event ID: 0
Date: 17/09/2004
Time: 2:04:06 p.m.
User: N/A
Computer: RB-501A-08-C
Description:
The description for Event ID ( 0 ) in Source ( PostgreSQL ) cannot be found. The local computer may not have the necessary registry information or message DLL files to display messages from a remote computer. The following information is part of the event: execution of PostgreSQL by a user with administrative permissions is not permitted.
The server must be started under an unprivileged user ID to prevent
possible system security compromise. See the documentation for
more information on how to properly start the server.
.
I have installed 8.0-beta2-dev3 on Win2k but the service will
not start.Firstly, I couldn't install postgresql as a Windows service
using the installer - using the installer, I couldn't add
postgresql as a Windows service without being a local
administrator. However, if I was logged on as a local admin
then the service would install but there was an error reported
later on saying that the server wouldn't run because I was
administrator (don't have a log of that error, sorry).
You need two accounts. One administrator account that starts the
installer (this could be "Administrator" or cours e- definitly no need
to create a special user for this). Another account which is used to run
the eventual installed postgres. This is the account that you specify on
the service account screen in the installer. This account MUST NOT be an
administrator.
failed to start. The Application event log shows the following
error (though NB the user account is a regular user, not a
"Power User" or "Administrator"):
Well, the systems says it is. Per FAQ 3.3 at
http://pginstaller.projects.postgresql.org/FAQ_windows.html, please
check the contents of your PU and Adm groups. They may contain other
nested groups.
//Magnus
Import Notes
Resolved by subject fallback
Magnus Hagander wrote:
Firstly, I couldn't install postgresql as a Windows service
using the installer - using the installer, I couldn't add
postgresql as a Windows service without being a local
administrator. However, if I was logged on as a local admin
then the service would install but there was an error reported
later on saying that the server wouldn't run because I was
administrator (don't have a log of that error, sorry).You need two accounts. One administrator account that starts the
installer (this could be "Administrator" or cours e- definitly no need
to create a special user for this). Another account which is
used to run
the eventual installed postgres. This is the account that you
specify on
the service account screen in the installer. This account
MUST NOT be an
administrator.
OK. It turns out that the problem there was that the installer (postgresql-8.0-beta2-dev3.msi) actually created a user account which WAS a member of "Power Users", because my "Power Users" group included the group "NT AUTHORITY\Authenticated Users" (according to the MS website [1], this is the default configuration for Windows XP and Windows 2k Professional, though NOT for Win2k Server or Win2003 Server). This setting means that ANY new local account is AUTOMATICALLY a power user. When I realised this I removed the "NT AUTHORITY\Authenticated Users" from the "Power Users" local group, and the installer ran perfectly.
It would be better if the installer would detect this situation, though, because users installing PostgreSQL on WinXP or Win2k Professional with the default security setup will otherwise find that the installer will create a user account which then doesn't work, which is not a good start :-) The cause is not immediately apparent because "NT AUTHORITY\Authenticated Users" is not a regular security group, so the user account doesn't show up as being a member. You have to know what "NT AUTHORITY\Authenticated Users" actually means. IMHO, when the PG installer creates a user account, it should test to see if it is automatically a Power User, or it could test the "Power Users" group, and any nested groups directly to see if they contain this "NT AUTHORITY\Authenticated Users" group, and if so, it should pop up a dialog box pointing out the need to remove "NT AUTHORITY\Authenticated Users" from the "Power Users" group, perhaps even making this modification itself.
Thanks for your help, Magnus!
Con
1.
http://www.microsoft.com/windows2000/en/professional/help/windows_security_default_settings.htm
http://www.microsoft.com/resources/documentation/WindowsServ/2003/standard/proddocs/en-us/windows_security_differences.asp
Import Notes
Resolved by subject fallback
You need two accounts. One administrator account that starts the
installer (this could be "Administrator" or cours e-definitly no need
to create a special user for this). Another account which is
used to run
the eventual installed postgres. This is the account that you
specify on
the service account screen in the installer. This account
MUST NOT be an
administrator.OK. It turns out that the problem there was that the installer
(postgresql-8.0-beta2-dev3.msi) actually created a user
account which WAS a member of "Power Users", because my "Power
Users" group included the group "NT AUTHORITY\Authenticated
Users" (according to the MS website [1], this is the default
configuration for Windows XP and Windows 2k Professional,
though NOT for Win2k Server or Win2003 Server). This setting
means that ANY new local account is AUTOMATICALLY a power
user. When I realised this I removed the "NT
AUTHORITY\Authenticated Users" from the "Power Users" local
group, and the installer ran perfectly.
That is an interesting note. I've never seen "Power Users" contain
Authenticated Users on any system I've installed, but the page certainly
claims it.
However, it makes no claim about Windows XP that I can see. Only about
Windows 2000, and it shows the difference for the server platform.
It would be better if the installer would detect this
situation, though, because users installing PostgreSQL on
WinXP or Win2k Professional with the default security setup
will otherwise find that the installer will create a user
account which then doesn't work, which is not a good start :-)
Yes, if this ia default in a bunch of installations, we certainly
should. I've added a tracker to the installer to check for htis, and
we'll try toget it in there before release. I will also add it to the
installer/windows FAQ.
//Magnus
Import Notes
Resolved by subject fallback
OK. It turns out that the problem there was that the installer
(postgresql-8.0-beta2-dev3.msi) actually created a user
account which WAS a member of "Power Users", because my "Power
Users" group included the group "NT AUTHORITY\Authenticated
Users" (according to the MS website [1], this is the default
configuration for Windows XP and Windows 2k Professional,
though NOT for Win2k Server or Win2003 Server). This setting
means that ANY new local account is AUTOMATICALLY a power
user. When I realised this I removed the "NT
AUTHORITY\Authenticated Users" from the "Power Users" local
group, and the installer ran perfectly.
Magnus Hagander wrote:
That is an interesting note. I've never seen "Power Users" contain
Authenticated Users on any system I've installed, but the
page certainly
claims it.
However, it makes no claim about Windows XP that I can see. Only about
Windows 2000, and it shows the difference for the server platform.
The second link in my earlier email mentioned WinXP Professional, which is the same as Win2k Professional in this regard, so it is definitely still a current issue:
http://www.microsoft.com/resources/documentation/WindowsServ/2003/standard/proddocs/en-us/windows_security_differences.asp
Probably most serious use of pg would be on a "Server" version of the OS, but there are probably a lot more boxes out there running "Professional", so I'd expect it to come up quite often all the same, especially (as for me) when people are first evaluating the software.
Cheers
Con
Import Notes
Resolved by subject fallback