Re: BUG #16341: Installation with EnterpriseDB Community installer in NT AUTHORITY\SYSTEM context not possible

Hi Fahar, hi Sandeep

thank you for investigating.

As mentioned earlier, the installation works with a domain account. The
domain account is also member of the local administrator group of the
server where I get the error message.

I get the error I reported if I try to start the installer in NT
AUTHORITY\SYSTEM security context. I get this context by using psexec.exe.

The last installer I know of that worked for me was 9.6.12.

Kind regards

Am Sa., 11. Apr. 2020 um 07:12 Uhr schrieb Sandeep Thakkar <
sandeep(dot)thakkar(at)enterprisedb(dot)com>:

> Fahar, Bert,
>
> It's reproducible at my end. I'll investigate and get back to you.
>
> On Fri, Apr 10, 2020 at 6:58 PM Fahar Abbas <fahar(dot)abbas(at)enterprisedb(dot)com>
> wrote:
>
>> Hi Bert,
>>
>> I am not able to reproduce the issue on normal users while I am only
>> getting an error message while I run installer on Domain control Admin
>> Account.
>>
>> Please find the issue on snapshot.
>>
>> Is this the same problem you are facing?
>>
>> On Mon, Apr 6, 2020 at 7:11 PM Bert Brezel <pg(dot)dba(dot)iit(dot)team(at)gmail(dot)com>
>> wrote:
>>
>>> Hi, thank you for your reply. I answered below your comments.
>>>
>>> On Fri, Apr 3, 2020 at 7:47 PM PG Bug reporting form <
>>> noreply(at)postgresql(dot)org> wrote:
>>>
>>>> The following bug has been logged on the website:
>>>>
>>>> Bug reference: 16341
>>>> Logged by: Enrico La Torre
>>>> Email address: pg(dot)dba(dot)iit(dot)team(at)gmail(dot)com
>>>> PostgreSQL version: 9.6.17
>>>> Operating system: Windows Server 2016
>>>> Description:
>>>>
>>>> Hi,
>>>>
>>>> it could be that the same bug was reported in
>>>>
>>>> https://www.postgresql.org/message-id/16001-fa33ba75a039fc7d%40postgresql.org
>>>> , but nobody answered until today.
>>>>
>>>> It is impossible for me to install PostgreSQL 9.6.17 with the
>>>> EnterpriseDB
>>>> installer (free Community Edition) on Windows Server 2016 in the
>>>> security
>>>> context of NT AUTHORITY\SYSTEM.
>>>
>>>
>>> Can you elaborate this please?
>>>
>>> I use psexec.exe from the Sysinternals Suite
>>> <https://docs.microsoft.com/de-de/sysinternals/downloads/sysinternals-suite> to
>>> get a PowerShell cmd shell in NT AUTHORITY\SYSTEM context. whoami returns
>>> 'nt authority\system'.
>>> If I then start the installer with
>>> '.\postgresql-9.6.17-1-windows-x64.exe' the interactive installer starts
>>> and returns the given error message. To be precise, only the logo of
>>> EnterpriseDB is shown and then the error message appears.
>>> Usually we call the installer in the unattended mode in our scripts but
>>> it even fails in the interactive mode now. So I ruled out any error with
>>> the argument list of the installer call.
>>>
>>>
>>>> If I start the installer with a regular
>>>> domain admin account, which is also local administrator, the installer
>>>> starts.
>>>>
>>>> OK
>>>
>>>
>>>> I receive the error message:
>>>> "Error running icacls "C:\Windows\Temp/postgresql_installer_ca555e4059"
>>>> /T
>>>> /Q /grant "<DOMAIN>/<COMPUTERNAME>$:(OI)(CI)F":
>>>> C:\Windows\Temp/postgresql_installer_ca555e4059\*: Access is denied"
>>>>
>>>> I disclaimed The log file of the installer
>>>> 'C:\Windows\Temp\install-postgresql.log' is never written.
>>>>
>>>> There must be files starting with bitrock*
>>>
>>> The file 'C:\Windows\Temp\bitrock_installer.log' shows (I also attached
>>> the file to this mail):
>>>
>>> Log started 04/06/2020 at 15:51:53
>>> Preferred installation mode : qt
>>> Trying to init installer in mode qt
>>> Mode qt successfully initialized
>>> Executing icacls "C:\Windows\Temp/postgresql_installer_f37cf0f7f1"
>>> /inheritance:r
>>> Script exit code: 0
>>>
>>> Script output:
>>> processed file: C:\Windows\Temp/postgresql_installer_f37cf0f7f1
>>> Successfully processed 1 files; Failed processing 0 files
>>>
>>> Script stderr:
>>>
>>>
>>> Executing icacls "C:\Windows\Temp/postgresql_installer_f37cf0f7f1" /T /Q
>>> /grant "ALDI-199\911-092STL01$:(OI)(CI)F"
>>> Script exit code: 5
>>>
>>> Script output:
>>> Successfully processed 1 files; Failed processing 1 files
>>>
>>> Script stderr:
>>> C:\Windows\Temp/postgresql_installer_f37cf0f7f1\*: Access is denied.
>>>
>>> Error running icacls "C:\Windows\Temp/postgresql_installer_f37cf0f7f1"
>>> /T /Q /grant "ALDI-199\911-092STL01$:(OI)(CI)F":
>>> C:\Windows\Temp/postgresql_installer_f37cf0f7f1\*: Access is denied.
>>> Cannot delete file C:/Windows/Temp/postgresql_installer_f37cf0f7f1
>>> Exiting with code 1
>>>
>>>
>>>
>>>
>>>> SYSTEM has FULL CONTROL for 'C:\Windows\Temp'. Created directories in
>>>> this
>>>> directory by SYSTEM inherit FULL CONTROL from the parent. But if I
>>>> check the
>>>> temporary directory '.\postgresql_installer_ca555e4059' I see that the
>>>> inheritance is disabled for this particular directory. Only the
>>>> principal
>>>> named <DOMAIN>/<COMPUTERNAME>$ has FULL CONTROL not SYSTEM.
>>>>
>>>> Sure, once I receive the logs I may ask you to get the ACLs for some
>>> directories which will give us more clues.
>>>
>>>
>>>> The same issue is also true for PostgreSQL 12.2. The last time this
>>>> procedure worked that I know is with the installer for PostgreSQL
>>>> 9.6.12.
>>>>
>>>> Kind regards
>>>>
>>>>
>>>
>>> Am Mo., 6. Apr. 2020 um 14:27 Uhr schrieb Sandeep Thakkar <
>>> sandeep(dot)thakkar(at)enterprisedb(dot)com>:
>>>
>>>> Hi,
>>>>
>>>>
>>>>
>>>> On Fri, Apr 3, 2020 at 7:47 PM PG Bug reporting form <
>>>> noreply(at)postgresql(dot)org> wrote:
>>>>
>>>>> The following bug has been logged on the website:
>>>>>
>>>>> Bug reference: 16341
>>>>> Logged by: Enrico La Torre
>>>>> Email address: pg(dot)dba(dot)iit(dot)team(at)gmail(dot)com
>>>>> PostgreSQL version: 9.6.17
>>>>> Operating system: Windows Server 2016
>>>>> Description:
>>>>>
>>>>> Hi,
>>>>>
>>>>> it could be that the same bug was reported in
>>>>>
>>>>> https://www.postgresql.org/message-id/16001-fa33ba75a039fc7d%40postgresql.org
>>>>> , but nobody answered until today.
>>>>>
>>>>> It is impossible for me to install PostgreSQL 9.6.17 with the
>>>>> EnterpriseDB
>>>>> installer (free Community Edition) on Windows Server 2016 in the
>>>>> security
>>>>> context of NT AUTHORITY\SYSTEM.
>>>>
>>>>
>>>> Can you elaborate this please?
>>>>
>>>>
>>>>> If I start the installer with a regular
>>>>> domain admin account, which is also local administrator, the installer
>>>>> starts.
>>>>>
>>>>> OK
>>>>
>>>>
>>>>> I receive the error message:
>>>>> "Error running icacls
>>>>> "C:\Windows\Temp/postgresql_installer_ca555e4059" /T
>>>>> /Q /grant "<DOMAIN>/<COMPUTERNAME>$:(OI)(CI)F":
>>>>> C:\Windows\Temp/postgresql_installer_ca555e4059\*: Access is denied"
>>>>>
>>>>> I disclaimed The log file of the installer
>>>>> 'C:\Windows\Temp\install-postgresql.log' is never written.
>>>>>
>>>>> There must be files starting with bitrock*
>>>>
>>>>
>>>>> SYSTEM has FULL CONTROL for 'C:\Windows\Temp'. Created directories in
>>>>> this
>>>>> directory by SYSTEM inherit FULL CONTROL from the parent. But if I
>>>>> check the
>>>>> temporary directory '.\postgresql_installer_ca555e4059' I see that the
>>>>> inheritance is disabled for this particular directory. Only the
>>>>> principal
>>>>> named <DOMAIN>/<COMPUTERNAME>$ has FULL CONTROL not SYSTEM.
>>>>>
>>>>> Sure, once I receive the logs I may ask you to get the ACLs for some
>>>> directories which will give us more clues.
>>>>
>>>>
>>>>> The same issue is also true for PostgreSQL 12.2. The last time this
>>>>> procedure worked that I know is with the installer for PostgreSQL
>>>>> 9.6.12.
>>>>>
>>>>> Kind regards
>>>>>
>>>>>
>>>>
>>>> --
>>>> Sandeep Thakkar
>>>>
>>>>
>>>>
>>
>> --
>> Fahar Abbas
>> QMG
>> EnterpriseDB Corporation
>> Phone Office: +92-51-835-8874
>> Phone Direct: +92-51-8466803
>> Mobile: +92-333-5409707
>> Skype ID: *live:fahar.abbas*
>> Website: www.enterprisedb.com
>>
>
>
> --
> Sandeep Thakkar
>
>
>