Обсуждение: Cannot start Postgresql 9.3 as a service in Windows 2012 Server with a domain account
First, we have tried many suggestions found in this and other sites. But the problem has not been solved.
View this message in context: Cannot start Postgresql 9.3 as a service in Windows 2012 Server with a domain account
Sent from the PostgreSQL - general mailing list archive at Nabble.com.
When trying to start postgresql as a service with a domain account on a windows 2012 server, the service starts and stops immediately. The Windows event log showed a terse error about timeout (even though it did not really take more than a couple of seconds for it to fail). By the way, the server is in an internal data center and does not have open access to public Internet.
We have made sure that the domain account has FULL access to all the directories under and including the installation directory (the domain account is NOT in the administrator group). We have made sure the domain account has the permission to "log on as a service" in Windows Local Security Policy. In fact, we can even use this domain account to start postgresql from command line - "pg_ctl -U xxxx -P yyyy -D.... start" but it just won't work when trying to start postgresql as a service. We have tried to install postgresql under a separate drive (not the default c drive), and it did not help.
We can start postgresql as a service if we use the local system account or the default NETWORK SERVICE account.
We have uninstalled (and removed cleanly) / reinstalled postgresql a number of times, have tried to install it under administrator mode, but none helped.
Any help will be greatly appreciated.
John
View this message in context: Cannot start Postgresql 9.3 as a service in Windows 2012 Server with a domain account
Sent from the PostgreSQL - general mailing list archive at Nabble.com.
Re: Cannot start Postgresql 9.3 as a service in Windows 2012 Server with a domain account
От
Raymond O'Donnell
Дата:
On 11/06/2014 17:05, boca2608 wrote: > First, we have tried many suggestions found in this and other sites. But > the problem has not been solved. > > When trying to start postgresql as a service with a domain account on a > windows 2012 server, the service starts and stops immediately. The > Windows event log showed a terse error about timeout (even though it did > not really take more than a couple of seconds for it to fail). By the PostgreSQL's own logs should have some more detail - the event log entry is indeed terse, PG writes all the interesting stuff to its own log. Ray. -- Raymond O'Donnell :: Galway :: Ireland rod@iol.ie
Thanks Ray. But unfortunately, there is no log entry in the postgresql log (as in the data/pg_log folder). The log file is empty. I checked the log before and after the error. Thanks, John -- View this message in context: http://postgresql.1045698.n5.nabble.com/Cannot-start-Postgresql-9-3-as-a-service-in-Windows-2012-Server-with-a-domain-account-tp5806847p5806999.html Sent from the PostgreSQL - general mailing list archive at Nabble.com.
Krystian Bigaj replied this in a separate email, which led to some interesting information that I would like to share in this mailing list. He suggested the use of the "Process Monitor" app to log the process events during the startup of the service and look for "ACCESS DENIED" errors. Here is what I found. During the startup, there were indeed several ACCESS DENIED errors: Date & Time: 6/12/2014 9:27:41 AM Event Class: Registry Operation: RegOpenKey Result: ACCESS DENIED Path: HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options TID: 1964 Duration: 0.0000451 Desired Access: Query Value, Enumerate Sub Keys Date & Time: 6/12/2014 9:27:41 AM Event Class: Registry Operation: RegOpenKey Result: ACCESS DENIED Path: HKLM\System\CurrentControlSet\Control\Session Manager TID: 1964 Duration: 0.0000364 Desired Access: Read Date & Time: 6/12/2014 9:27:41 AM Event Class: File System Operation: CreateFile Result: ACCESS DENIED Path: C:\Windows\System32 TID: 1964 Duration: 0.0000409 Desired Access: Execute/Traverse, Synchronize Disposition: Open Options: Directory, Synchronous IO Non-Alert Attributes: n/a ShareMode: Read, Write AllocationSize: n/a Date & Time: 6/12/2014 9:27:41 AM Event Class: File System Operation: QueryOpen Result: ACCESS DENIED Path: D:\PostgreSQL\9.3\bin\ssleay32.dll TID: 1964 Duration: 0.0000270 I do not know how to give someone permission to a particular registry entry. But I suspect that the inability to access system32 might be the cause of the failure to start the service. But when I tried to add the domain user to the permission for system32 (READ & EXECUTE), Windows would not allow me to proceed. Has anybody seen such issues? Any help would be greatly appreciated. Thanks, John -- View this message in context: http://postgresql.1045698.n5.nabble.com/Cannot-start-Postgresql-9-3-as-a-service-in-Windows-2012-Server-with-a-domain-account-tp5806847p5807002.html Sent from the PostgreSQL - general mailing list archive at Nabble.com.
> -----Original Message----- > From: pgsql-general-owner@postgresql.org [mailto:pgsql-general- > owner@postgresql.org] On Behalf Of boca2608 > Sent: Thursday, June 12, 2014 10:00 AM > To: pgsql-general@postgresql.org > Subject: [GENERAL] Re: Cannot start Postgresql 9.3 as a service in Windows > 2012 Server with a domain account > > Krystian Bigaj replied this in a separate email, which led to some interesting > information that I would like to share in this mailing list. > > He suggested the use of the "Process Monitor" app to log the process events > during the startup of the service and look for "ACCESS DENIED" errors. Here > is what I found. During the startup, there were indeed several ACCESS > DENIED errors: > > Date & Time: 6/12/2014 9:27:41 AM > Event Class: Registry > Operation: RegOpenKey > Result: ACCESS DENIED > Path: HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File > Execution Options > TID: 1964 > Duration: 0.0000451 > Desired Access: Query Value, Enumerate Sub Keys > > > Date & Time: 6/12/2014 9:27:41 AM > Event Class: Registry > Operation: RegOpenKey > Result: ACCESS DENIED > Path: HKLM\System\CurrentControlSet\Control\Session Manager > TID: 1964 > Duration: 0.0000364 > Desired Access: Read > > Date & Time: 6/12/2014 9:27:41 AM > Event Class: File System > Operation: CreateFile > Result: ACCESS DENIED > Path: C:\Windows\System32 > TID: 1964 > Duration: 0.0000409 > Desired Access: Execute/Traverse, Synchronize > Disposition: Open > Options: Directory, Synchronous IO Non-Alert > Attributes: n/a > ShareMode: Read, Write > AllocationSize: n/a > > > Date & Time: 6/12/2014 9:27:41 AM > Event Class: File System > Operation: QueryOpen > Result: ACCESS DENIED > Path: D:\PostgreSQL\9.3\bin\ssleay32.dll > TID: 1964 > Duration: 0.0000270 > > I do not know how to give someone permission to a particular registry entry. > But I suspect that the inability to access system32 might be the cause of the > failure to start the service. But when I tried to add the domain user to the > permission for system32 (READ & EXECUTE), Windows would not allow me to > proceed. Has anybody seen such issues? Any help would be greatly > appreciated. > > Thanks, > John > I missed the beginning of this thread. Is there a specific reason NOT to use local account for Postgres service? Regards, Igor Neyman
Re: Re: Cannot start Postgresql 9.3 as a service in Windows 2012 Server with a domain account
От
Raymond O'Donnell
Дата:
On 12/06/2014 14:51, boca2608 wrote: > Thanks Ray. But unfortunately, there is no log entry in the postgresql log > (as in the data/pg_log folder). The log file is empty. I checked the log > before and after the error. OK. You may need to enable logging (though I thought the EnterpriseDB installer had it enabled by default) - have a look at postgresql.conf, which ought to be in the data/ directory, and see what's in the section entitled "Error reporting and logging". My laptop installation (Postgres 9.3 on Windows 7) currently has the following (all set by the aforementioned installer) - log_destination = 'stderr' logging_collector = on log_directory = 'pg_log' log_filename = 'postgresql-%Y-%m-%d_%H%M%S.log' - and the log files are being created in data/pg_log as expected. HTH, Ray. -- Raymond O'Donnell :: Galway :: Ireland rod@iol.ie
Re: Re: Cannot start Postgresql 9.3 as a service in Windows 2012 Server with a domain account
От
Krystian Bigaj
Дата:
On 12 June 2014 15:59, boca2608 <boca2608@gmail.com> wrote:
Krystian Bigaj replied this in a separate email, which led to some
interesting information that I would like to share in this mailing list.
He suggested the use of the "Process Monitor" app to log the process events
during the startup of the service and look for "ACCESS DENIED" errors. Here
is what I found. During the startup, there were indeed several ACCESS
DENIED errors:
Date & Time: 6/12/2014 9:27:41 AM
Event Class: Registry
Operation: RegOpenKey
Result: ACCESS DENIED
Path: HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution
Options
TID: 1964
Duration: 0.0000451
Desired Access: Query Value, Enumerate Sub KeysI had similar problem (but with initdb.exe).
Solution in your case is to add BUILTIN\Users group to your "postgres" account (this which you will use to start PG service).
Let me know if this helps.
PS. Don't change permissions on registry/file, because you will end up with a mess :)
Of course your PG data directory must have Full access for postgress account. Also your binaries must have a Read+Execute access for postgress. In most cases adding that BUILTIN\Users group to postgress will work, but I had a case, where end-user installed our software on drive where Users group had Deny permissions.
To sum it all:
- directory with your pgdata - Full access for postgress account
- PG installation dir (so parent of bin) - Read+Execute for postgress account
- postgres account must be member of BUILTIN\Users (!)
- if you are redirecting Log to other directory, then this dir also have to Full access for postgres account.
(I'm using "NT AUTHORITY\NetworkService" account)
Best regards,
Krystian Bigaj
Krystian Bigaj
Re: Re: Cannot start Postgresql 9.3 as a service in Windows 2012 Server with a domain account
От
Krystian Bigaj
Дата:
(re-posting, because I've used Reply, instead of Reply all, thanks)
On 11 June 2014 18:05, boca2608 <boca2608@gmail.com> wrote:
If you don't have (error) logs from PG then you could try to use Process Monitor, set filter for postgres.exe process, and start service. Look for errors in Result with eg. ACCESS_DENIED.When trying to start postgresql as a service with a domain account on a windows 2012 server, the service starts and stops immediately. The Windows event log showed a terse error about timeout (even though it did not really take more than a couple of seconds for it to fail). By the way, the server is in an internal data center and does not have open access to public Internet.
I've had some clients that had few different issues, and all of them was because of permissions issues (sometimes postgres.exe fails, sometimes initdb.exe fails). Setting correct permissions solved all of that problems.
PS. I'm running PG under NetworkService account, but I'm not using installer from EDB or even pg_ctl (shutdown code is buggy, but it's a postgres.exe issue).
Best regards,
Krystian Bigaj
Krystian Bigaj
Igor,
Our network security policy requires that such database services run under a dedicated domain account. (Postgresql does run successfully under local system account and the default NETWORK SERVICE account.)
Thanks,
John
From: Igor Neyman [via PostgreSQL] [mailto:[hidden email]]
Sent: Thursday, June 12, 2014 10:06 AM
To: boca2608
Subject: Re: Cannot start Postgresql 9.3 as a service in Windows 2012 Server with a domain account
> -----Original Message-----
> From: [hidden email] [mailto:pgsql-general-
> [hidden email]] On Behalf Of boca2608
> Sent: Thursday, June 12, 2014 10:00 AM
> To: [hidden email]
> Subject: [GENERAL] Re: Cannot start Postgresql 9.3 as a service in Windows
> 2012 Server with a domain account
>
> Krystian Bigaj replied this in a separate email, which led to some interesting
> information that I would like to share in this mailing list.
>
> He suggested the use of the "Process Monitor" app to log the process events
> during the startup of the service and look for "ACCESS DENIED" errors. Here
> is what I found. During the startup, there were indeed several ACCESS
> DENIED errors:
>
> Date & Time: 6/12/2014 9:27:41 AM
> Event Class: Registry
> Operation: RegOpenKey
> Result: ACCESS DENIED
> Path: HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File
> Execution Options
> TID: 1964
> Duration: 0.0000451
> Desired Access: Query Value, Enumerate Sub Keys
>
>
> Date & Time: 6/12/2014 9:27:41 AM
> Event Class: Registry
> Operation: RegOpenKey
> Result: ACCESS DENIED
> Path: HKLM\System\CurrentControlSet\Control\Session Manager
> TID: 1964
> Duration: 0.0000364
> Desired Access: Read
>
> Date & Time: 6/12/2014 9:27:41 AM
> Event Class: File System
> Operation: CreateFile
> Result: ACCESS DENIED
> Path: C:\Windows\System32
> TID: 1964
> Duration: 0.0000409
> Desired Access: Execute/Traverse, Synchronize
> Disposition: Open
> Options: Directory, Synchronous IO Non-Alert
> Attributes: n/a
> ShareMode: Read, Write
> AllocationSize: n/a
>
>
> Date & Time: 6/12/2014 9:27:41 AM
> Event Class: File System
> Operation: QueryOpen
> Result: ACCESS DENIED
> Path: D:\PostgreSQL\9.3\bin\ssleay32.dll
> TID: 1964
> Duration: 0.0000270
>
> I do not know how to give someone permission to a particular registry entry.
> But I suspect that the inability to access system32 might be the cause of the
> failure to start the service. But when I tried to add the domain user to the
> permission for system32 (READ & EXECUTE), Windows would not allow me to
> proceed. Has anybody seen such issues? Any help would be greatly
> appreciated.
>
> Thanks,
> John
>
Is there a specific reason NOT to use local account for Postgres service?
Regards,
Igor Neyman
--
Sent via pgsql-general mailing list ([hidden email])
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-general
If you reply to this email, your message will be added to the discussion below:
To unsubscribe from Cannot start Postgresql 9.3 as a service in Windows 2012 Server with a domain account, click here.
NAML
View this message in context: RE: Cannot start Postgresql 9.3 as a service in Windows 2012 Server with a domain account
Sent from the PostgreSQL - general mailing list archive at Nabble.com.
From: pgsql-general-owner@postgresql.org [mailto:pgsql-general-owner@postgresql.org] On Behalf Of boca2608 Sent: Thursday, June 12, 2014 11:05 AM To: pgsql-general@postgresql.org Subject: [GENERAL] Re: Cannot start Postgresql 9.3 as a service in Windows 2012 Server with a domain account Igor, Our network security policy requires that such database services run under a dedicated domain account. (Postgresql doesrun successfully under local system account and the default NETWORK SERVICE account.) Thanks, John I see. So, did you try to explicitly make this domain account member of local Users group? Regards, Igor
After adding the domain user account into the local users group, the postgresql service can be started successfully now. We will do more testing to make sure that all postgresql functions are working. But I want to give my big thanks to Krystian Bigaj, Igor Neyman and Raymond O'Donnell for offering timely help and making this user mailing list a great resource to the postgresql user community. Thanks, John -- View this message in context: http://postgresql.1045698.n5.nabble.com/Cannot-start-Postgresql-9-3-as-a-service-in-Windows-2012-Server-with-a-domain-account-tp5806847p5807040.html Sent from the PostgreSQL - general mailing list archive at Nabble.com.
> -----Original Message----- > From: pgsql-general-owner@postgresql.org [mailto:pgsql-general- > owner@postgresql.org] On Behalf Of boca2608 > Sent: Thursday, June 12, 2014 12:33 PM > To: pgsql-general@postgresql.org > Subject: [GENERAL] Re: Cannot start Postgresql 9.3 as a service in Windows > 2012 Server with a domain account > > After adding the domain user account into the local users group, the > postgresql service can be started successfully now. We will do more testing > to make sure that all postgresql functions are working. But I want to give my > big thanks to Krystian Bigaj, Igor Neyman and Raymond O'Donnell for > offering timely help and making this user mailing list a great resource to the > postgresql user community. > > Thanks, > John > Just a heads-up: These domain/network security people like to change accounts' passwords on regular basis, in which case your local Postgresservice will stop working. Pay attention. Regards, Igor