Thread: Error starting service on Win2k
I have installed 8.0-beta2-dev3 on Win2k but the service will not start. Firstly, I couldn't install postgresql as a Windows service using the insta= ller - using the installer, I couldn't add postgresql as a Windows service = without being a local administrator. However, if I was logged on as a local= admin then the service would install but there was an error reported later= on saying that the server wouldn't run because I was administrator (don't = have a log of that error, sorry). So I logged on as a regular user and used the installer to install postgres= ql but NOT as a service. Then I logged on as an admin, created a regular us= er account and used pg_ctl.exe to install the service under that account. W= hen I start the service the Windows service manager reports that the servic= e failed to start. The Application event log shows the following error (tho= ugh NB the user account is a regular user, not a "Power User" or "Administr= ator"): Event Type: Error Event Source: PostgreSQL Event Category: None Event ID: 0 Date: 17/09/2004 Time: 2:04:06 p.m. User: N/A Computer: RB-501A-08-C Description: The description for Event ID ( 0 ) in Source ( PostgreSQL ) cannot be found= . The local computer may not have the necessary registry information or mes= sage DLL files to display messages from a remote computer. The following in= formation is part of the event: execution of PostgreSQL by a user with admi= nistrative permissions is not permitted. The server must be started under an unprivileged user ID to prevent possible system security compromise. See the documentation for more information on how to properly start the server. =2E
>I have installed 8.0-beta2-dev3 on Win2k but the service will=20 >not start. > >Firstly, I couldn't install postgresql as a Windows service=20 >using the installer - using the installer, I couldn't add=20 >postgresql as a Windows service without being a local=20 >administrator. However, if I was logged on as a local admin=20 >then the service would install but there was an error reported=20 >later on saying that the server wouldn't run because I was=20 >administrator (don't have a log of that error, sorry). You need two accounts. One administrator account that starts the installer (this could be "Administrator" or cours e- definitly no need to create a special user for this). Another account which is used to run the eventual installed postgres. This is the account that you specify on the service account screen in the installer. This account MUST NOT be an administrator. >failed to start. The Application event log shows the following=20 >error (though NB the user account is a regular user, not a=20 >"Power User" or "Administrator"): Well, the systems says it is. Per FAQ 3.3 at http://pginstaller.projects.postgresql.org/FAQ_windows.html, please check the contents of your PU and Adm groups. They may contain other nested groups. //Magnus
Magnus Hagander wrote: > >Firstly, I couldn't install postgresql as a Windows service=20 > >using the installer - using the installer, I couldn't add=20 > >postgresql as a Windows service without being a local=20 > >administrator. However, if I was logged on as a local admin=20 > >then the service would install but there was an error reported=20 > >later on saying that the server wouldn't run because I was=20 > >administrator (don't have a log of that error, sorry). >=20 > You need two accounts. One administrator account that starts the > installer (this could be "Administrator" or cours e- definitly no need > to create a special user for this). Another account which is=20 > used to run > the eventual installed postgres. This is the account that you=20 > specify on > the service account screen in the installer. This account=20 > MUST NOT be an > administrator. OK. It turns out that the problem there was that the installer (postgresql-= 8.0-beta2-dev3.msi) actually created a user account which WAS a member of "= Power Users", because my "Power Users" group included the group "NT AUTHORI= TY\Authenticated Users" (according to the MS website [1], this is the defau= lt configuration for Windows XP and Windows 2k Professional, though NOT for= Win2k Server or Win2003 Server). This setting means that ANY new local acc= ount is AUTOMATICALLY a power user. When I realised this I removed the "NT = AUTHORITY\Authenticated Users" from the "Power Users" local group, and the = installer ran perfectly. It would be better if the installer would detect this situation, though, be= cause users installing PostgreSQL on WinXP or Win2k Professional with the d= efault security setup will otherwise find that the installer will create a = user account which then doesn't work, which is not a good start :-) The cau= se is not immediately apparent because "NT AUTHORITY\Authenticated Users" i= s not a regular security group, so the user account doesn't show up as bein= g a member. You have to know what "NT AUTHORITY\Authenticated Users" actual= ly means. IMHO, when the PG installer creates a user account, it should tes= t to see if it is automatically a Power User, or it could test the "Power U= sers" group, and any nested groups directly to see if they contain this "NT= AUTHORITY\Authenticated Users" group, and if so, it should pop up a dialog= box pointing out the need to remove "NT AUTHORITY\Authenticated Users" fro= m the "Power Users" group, perhaps even making this modification itself. Thanks for your help, Magnus! Con 1. http://www.microsoft.com/windows2000/en/professional/help/windows_security_= default_settings.htm http://www.microsoft.com/resources/documentation/WindowsServ/2003/standard/= proddocs/en-us/windows_security_differences.asp
>> You need two accounts. One administrator account that starts the >> installer (this could be "Administrator" or cours e-=20 >definitly no need >> to create a special user for this). Another account which is=20 >> used to run >> the eventual installed postgres. This is the account that you=20 >> specify on >> the service account screen in the installer. This account=20 >> MUST NOT be an >> administrator. > >OK. It turns out that the problem there was that the installer=20 >(postgresql-8.0-beta2-dev3.msi) actually created a user=20 >account which WAS a member of "Power Users", because my "Power=20 >Users" group included the group "NT AUTHORITY\Authenticated=20 >Users" (according to the MS website [1], this is the default=20 >configuration for Windows XP and Windows 2k Professional,=20 >though NOT for Win2k Server or Win2003 Server). This setting=20 >means that ANY new local account is AUTOMATICALLY a power=20 >user. When I realised this I removed the "NT=20 >AUTHORITY\Authenticated Users" from the "Power Users" local=20 >group, and the installer ran perfectly. That is an interesting note. I've never seen "Power Users" contain Authenticated Users on any system I've installed, but the page certainly claims it.=20 However, it makes no claim about Windows XP that I can see. Only about Windows 2000, and it shows the difference for the server platform. >It would be better if the installer would detect this=20 >situation, though, because users installing PostgreSQL on=20 >WinXP or Win2k Professional with the default security setup=20 >will otherwise find that the installer will create a user=20 >account which then doesn't work, which is not a good start :-)=20 Yes, if this ia default in a bunch of installations, we certainly should. I've added a tracker to the installer to check for htis, and we'll try toget it in there before release. I will also add it to the installer/windows FAQ. //Magnus
> >OK. It turns out that the problem there was that the installer=20 > >(postgresql-8.0-beta2-dev3.msi) actually created a user=20 > >account which WAS a member of "Power Users", because my "Power=20 > >Users" group included the group "NT AUTHORITY\Authenticated=20 > >Users" (according to the MS website [1], this is the default=20 > >configuration for Windows XP and Windows 2k Professional,=20 > >though NOT for Win2k Server or Win2003 Server). This setting=20 > >means that ANY new local account is AUTOMATICALLY a power=20 > >user. When I realised this I removed the "NT=20 > >AUTHORITY\Authenticated Users" from the "Power Users" local=20 > >group, and the installer ran perfectly. Magnus Hagander wrote: > That is an interesting note. I've never seen "Power Users" contain > Authenticated Users on any system I've installed, but the=20 > page certainly > claims it.=20 > However, it makes no claim about Windows XP that I can see. Only about > Windows 2000, and it shows the difference for the server platform. The second link in my earlier email mentioned WinXP Professional, which is = the same as Win2k Professional in this regard, so it is definitely still a = current issue: http://www.microsoft.com/resources/documentation/WindowsServ/2003/standard/= proddocs/en-us/windows_security_differences.asp Probably most serious use of pg would be on a "Server" version of the OS, b= ut there are probably a lot more boxes out there running "Professional", so= I'd expect it to come up quite often all the same, especially (as for me) = when people are first evaluating the software. Cheers Con