Re: BUG #16341: Installation with EnterpriseDB Community installer inNT AUTHORITY\SYSTEM context not possible - Mailing list pgsql-bugs

From Sandeep Thakkar
Subject Re: BUG #16341: Installation with EnterpriseDB Community installer inNT AUTHORITY\SYSTEM context not possible
Date
Msg-id CANFyU94Ommf133V0OPVfimG_DzYjkMkefhSKSwQwUaMnQ+7-Ag@mail.gmail.com
Whole thread Raw
In response to Re: BUG #16341: Installation with EnterpriseDB Community installer inNT AUTHORITY\SYSTEM context not possible  (Sandeep Thakkar <sandeep.thakkar@enterprisedb.com>)
List pgsql-bugs
The updated versions for 9.5 to v12 are now available for download.

On Tue, Apr 21, 2020 at 1:36 PM Sandeep Thakkar <sandeep.thakkar@enterprisedb.com> wrote:
Hi Bert,

On Mon, Apr 20, 2020 at 6:51 PM Bert Brezel <pg.dba.iit.team@gmail.com> wrote:
Hi Sandeep,

thank you very much. This installer works now. It also works with my usual input parameters for the installer. I attached the installation log file.

Glad to hear that.
 
Can you estimate when you release the updated version? 

The updated versions will be out in a day or two.
 
Thank you for resolving this issue.

Kind regards

Am Mo., 20. Apr. 2020 um 11:10 Uhr schrieb Sandeep Thakkar <sandeep.thakkar@enterprisedb.com>:
Hi Bert,

We have generated a "test" installer with the fix for v11 and uploaded it here. Could you please verify if it fixes the issue? If it does, then we would release an update for all affected versions. Thank you.


On Wed, Apr 15, 2020 at 8:35 PM Bert Brezel <pg.dba.iit.team@gmail.com> wrote:
Hi Fahar, hi Sandeep 

thank you for investigating.

As mentioned earlier, the installation works with a domain account. The domain account is also member of the local administrator group of the server where I get the error message.

I get the error I reported if I try to start the installer in NT AUTHORITY\SYSTEM security context. I get this context by using psexec.exe. 

The last installer I know of that worked for me was 9.6.12. 

Kind regards

Am Sa., 11. Apr. 2020 um 07:12 Uhr schrieb Sandeep Thakkar <sandeep.thakkar@enterprisedb.com>:
Fahar, Bert,

It's reproducible at my end. I'll investigate and get back to you.

On Fri, Apr 10, 2020 at 6:58 PM Fahar Abbas <fahar.abbas@enterprisedb.com> wrote:
Hi Bert,

I am not able to reproduce the  issue on normal users while I am only getting an error message while I run installer on Domain control Admin Account.

Please find the issue on snapshot.

Is this the same problem you are facing?

On Mon, Apr 6, 2020 at 7:11 PM Bert Brezel <pg.dba.iit.team@gmail.com> wrote:
Hi, thank you for your reply. I answered below your comments.

On Fri, Apr 3, 2020 at 7:47 PM PG Bug reporting form <noreply@postgresql.org> wrote:
The following bug has been logged on the website:

Bug reference:      16341
Logged by:          Enrico La Torre
Email address:      pg.dba.iit.team@gmail.com
PostgreSQL version: 9.6.17
Operating system:   Windows Server 2016
Description:       

Hi,

it could be that the same bug was reported in
https://www.postgresql.org/message-id/16001-fa33ba75a039fc7d%40postgresql.org
, but nobody answered until today.

It is impossible for me to install PostgreSQL 9.6.17 with the EnterpriseDB
installer (free Community Edition) on Windows Server 2016 in the security
context of NT AUTHORITY\SYSTEM.

Can you elaborate this please?

I use psexec.exe from the Sysinternals Suite to get a PowerShell cmd shell in NT AUTHORITY\SYSTEM context. whoami returns 'nt authority\system'.
If I then start the installer with '.\postgresql-9.6.17-1-windows-x64.exe' the interactive installer starts and returns the given error message. To be precise, only the logo of EnterpriseDB is shown and then the error message appears.
Usually we call the installer in the unattended mode in our scripts but it even fails in the interactive mode now. So I ruled out any error with the argument list of the installer call.
 
If I start the installer with a regular
domain admin account, which is also local administrator, the installer
starts. 

OK
 
I receive the error message:
"Error running icacls "C:\Windows\Temp/postgresql_installer_ca555e4059" /T
/Q /grant "<DOMAIN>/<COMPUTERNAME>$:(OI)(CI)F":
C:\Windows\Temp/postgresql_installer_ca555e4059\*: Access is denied"

I disclaimed The log file of the installer
'C:\Windows\Temp\install-postgresql.log' is never written.

There must be files starting with bitrock*

The file 'C:\Windows\Temp\bitrock_installer.log' shows (I also attached the file to this mail):

Log started 04/06/2020 at 15:51:53
Preferred installation mode : qt
Trying to init installer in mode qt
Mode qt successfully initialized
Executing icacls "C:\Windows\Temp/postgresql_installer_f37cf0f7f1" /inheritance:r
Script exit code: 0

Script output:
 processed file: C:\Windows\Temp/postgresql_installer_f37cf0f7f1
Successfully processed 1 files; Failed processing 0 files

Script stderr:
 

Executing icacls "C:\Windows\Temp/postgresql_installer_f37cf0f7f1" /T /Q /grant "ALDI-199\911-092STL01$:(OI)(CI)F"
Script exit code: 5

Script output:
 Successfully processed 1 files; Failed processing 1 files

Script stderr:
 C:\Windows\Temp/postgresql_installer_f37cf0f7f1\*: Access is denied.

Error running icacls "C:\Windows\Temp/postgresql_installer_f37cf0f7f1" /T /Q /grant "ALDI-199\911-092STL01$:(OI)(CI)F": C:\Windows\Temp/postgresql_installer_f37cf0f7f1\*: Access is denied.
Cannot delete file C:/Windows/Temp/postgresql_installer_f37cf0f7f1
Exiting with code 1

 
SYSTEM has FULL CONTROL for 'C:\Windows\Temp'. Created directories in this
directory by SYSTEM inherit FULL CONTROL from the parent. But if I check the
temporary directory '.\postgresql_installer_ca555e4059' I see that the
inheritance is disabled for this particular directory. Only the principal
named <DOMAIN>/<COMPUTERNAME>$ has FULL CONTROL not SYSTEM.

Sure, once I receive the logs I may ask you to get the ACLs for some directories which will give us more clues.
 
The same issue is also true for PostgreSQL 12.2. The last time this
procedure worked that I know is with the installer for PostgreSQL 9.6.12.

Kind regards



Am Mo., 6. Apr. 2020 um 14:27 Uhr schrieb Sandeep Thakkar <sandeep.thakkar@enterprisedb.com>:
Hi,



On Fri, Apr 3, 2020 at 7:47 PM PG Bug reporting form <noreply@postgresql.org> wrote:
The following bug has been logged on the website:

Bug reference:      16341
Logged by:          Enrico La Torre
Email address:      pg.dba.iit.team@gmail.com
PostgreSQL version: 9.6.17
Operating system:   Windows Server 2016
Description:       

Hi,

it could be that the same bug was reported in
https://www.postgresql.org/message-id/16001-fa33ba75a039fc7d%40postgresql.org
, but nobody answered until today.

It is impossible for me to install PostgreSQL 9.6.17 with the EnterpriseDB
installer (free Community Edition) on Windows Server 2016 in the security
context of NT AUTHORITY\SYSTEM.

Can you elaborate this please?
 
If I start the installer with a regular
domain admin account, which is also local administrator, the installer
starts. 

OK
 
I receive the error message:
"Error running icacls "C:\Windows\Temp/postgresql_installer_ca555e4059" /T
/Q /grant "<DOMAIN>/<COMPUTERNAME>$:(OI)(CI)F":
C:\Windows\Temp/postgresql_installer_ca555e4059\*: Access is denied"

I disclaimed The log file of the installer
'C:\Windows\Temp\install-postgresql.log' is never written.

There must be files starting with bitrock*
 
SYSTEM has FULL CONTROL for 'C:\Windows\Temp'. Created directories in this
directory by SYSTEM inherit FULL CONTROL from the parent. But if I check the
temporary directory '.\postgresql_installer_ca555e4059' I see that the
inheritance is disabled for this particular directory. Only the principal
named <DOMAIN>/<COMPUTERNAME>$ has FULL CONTROL not SYSTEM.

Sure, once I receive the logs I may ask you to get the ACLs for some directories which will give us more clues.
 
The same issue is also true for PostgreSQL 12.2. The last time this
procedure worked that I know is with the installer for PostgreSQL 9.6.12.

Kind regards



--
Sandeep Thakkar




--
Fahar Abbas
QMG
EnterpriseDB Corporation
Phone Office: +92-51-835-8874
Phone Direct: +92-51-8466803
Mobile: +92-333-5409707
Skype ID: live:fahar.abbas
Website: www.enterprisedb.com


--
Sandeep Thakkar




--
Sandeep Thakkar




--
Sandeep Thakkar




--
Sandeep Thakkar


pgsql-bugs by date:

Previous
From: Sandeep Thakkar
Date:
Subject: Re: BUG #16364: ICACLS error when installing under system context "NTAUTHORITY\SYSTEM" ie installing with SCCM
Next
From: Michael Paquier
Date:
Subject: Re: [BUG] non archived WAL removed during production crash recovery