Re: BUG #16341: Installation with EnterpriseDB Community installer in NT AUTHORITY\SYSTEM context not possible

Platform support

The installers are tested by EnterpriseDB on the following platforms. They
can generally be expected to run on other comparable versions:
PostgreSQL Version 64 Bit Windows Platforms 32 Bit Windows Platforms
12 2019, 2016, 2012 R2
11 2019, 2016, 2012 R2
10 2016, 2012 R2 & R1, 7, 8, 10 2008 R1, 7, 8, 10
9.6 2012 R2 & R1, 2008 R2, 7, 8, 10 2008 R1, 7, 8, 10
9.5 2012 R2 & R1, 2008 R2 2008 R1
9.4 2012 R2, 2008 R2 2008 R1

Can you please try to install PG-11 and PG-12 on your Windows 2016 server
with a Domain account?

I will create a new Domain controller account setup on Windows 2016 server
on Monday.

On Fri, Apr 10, 2020 at 6:27 PM Fahar Abbas <fahar(dot)abbas(at)enterprisedb(dot)com>
wrote:

> Hi Bert,
>
> I am not able to reproduce the issue on normal users while I am only
> getting an error message while I run installer on Domain control Admin
> Account.
>
> Please find the issue on snapshot.
>
> Is this the same problem you are facing?
>
> On Mon, Apr 6, 2020 at 7:11 PM Bert Brezel <pg(dot)dba(dot)iit(dot)team(at)gmail(dot)com>
> wrote:
>
>> Hi, thank you for your reply. I answered below your comments.
>>
>> On Fri, Apr 3, 2020 at 7:47 PM PG Bug reporting form <
>> noreply(at)postgresql(dot)org> wrote:
>>
>>> The following bug has been logged on the website:
>>>
>>> Bug reference: 16341
>>> Logged by: Enrico La Torre
>>> Email address: pg(dot)dba(dot)iit(dot)team(at)gmail(dot)com
>>> PostgreSQL version: 9.6.17
>>> Operating system: Windows Server 2016
>>> Description:
>>>
>>> Hi,
>>>
>>> it could be that the same bug was reported in
>>>
>>> https://www.postgresql.org/message-id/16001-fa33ba75a039fc7d%40postgresql.org
>>> , but nobody answered until today.
>>>
>>> It is impossible for me to install PostgreSQL 9.6.17 with the
>>> EnterpriseDB
>>> installer (free Community Edition) on Windows Server 2016 in the security
>>> context of NT AUTHORITY\SYSTEM.
>>
>>
>> Can you elaborate this please?
>>
>> I use psexec.exe from the Sysinternals Suite
>> <https://docs.microsoft.com/de-de/sysinternals/downloads/sysinternals-suite> to
>> get a PowerShell cmd shell in NT AUTHORITY\SYSTEM context. whoami returns
>> 'nt authority\system'.
>> If I then start the installer with
>> '.\postgresql-9.6.17-1-windows-x64.exe' the interactive installer starts
>> and returns the given error message. To be precise, only the logo of
>> EnterpriseDB is shown and then the error message appears.
>> Usually we call the installer in the unattended mode in our scripts but
>> it even fails in the interactive mode now. So I ruled out any error with
>> the argument list of the installer call.
>>
>>
>>> If I start the installer with a regular
>>> domain admin account, which is also local administrator, the installer
>>> starts.
>>>
>>> OK
>>
>>
>>> I receive the error message:
>>> "Error running icacls "C:\Windows\Temp/postgresql_installer_ca555e4059"
>>> /T
>>> /Q /grant "<DOMAIN>/<COMPUTERNAME>$:(OI)(CI)F":
>>> C:\Windows\Temp/postgresql_installer_ca555e4059\*: Access is denied"
>>>
>>> I disclaimed The log file of the installer
>>> 'C:\Windows\Temp\install-postgresql.log' is never written.
>>>
>>> There must be files starting with bitrock*
>>
>> The file 'C:\Windows\Temp\bitrock_installer.log' shows (I also attached
>> the file to this mail):
>>
>> Log started 04/06/2020 at 15:51:53
>> Preferred installation mode : qt
>> Trying to init installer in mode qt
>> Mode qt successfully initialized
>> Executing icacls "C:\Windows\Temp/postgresql_installer_f37cf0f7f1"
>> /inheritance:r
>> Script exit code: 0
>>
>> Script output:
>> processed file: C:\Windows\Temp/postgresql_installer_f37cf0f7f1
>> Successfully processed 1 files; Failed processing 0 files
>>
>> Script stderr:
>>
>>
>> Executing icacls "C:\Windows\Temp/postgresql_installer_f37cf0f7f1" /T /Q
>> /grant "ALDI-199\911-092STL01$:(OI)(CI)F"
>> Script exit code: 5
>>
>> Script output:
>> Successfully processed 1 files; Failed processing 1 files
>>
>> Script stderr:
>> C:\Windows\Temp/postgresql_installer_f37cf0f7f1\*: Access is denied.
>>
>> Error running icacls "C:\Windows\Temp/postgresql_installer_f37cf0f7f1" /T
>> /Q /grant "ALDI-199\911-092STL01$:(OI)(CI)F":
>> C:\Windows\Temp/postgresql_installer_f37cf0f7f1\*: Access is denied.
>> Cannot delete file C:/Windows/Temp/postgresql_installer_f37cf0f7f1
>> Exiting with code 1
>>
>>
>>
>>
>>> SYSTEM has FULL CONTROL for 'C:\Windows\Temp'. Created directories in
>>> this
>>> directory by SYSTEM inherit FULL CONTROL from the parent. But if I check
>>> the
>>> temporary directory '.\postgresql_installer_ca555e4059' I see that the
>>> inheritance is disabled for this particular directory. Only the principal
>>> named <DOMAIN>/<COMPUTERNAME>$ has FULL CONTROL not SYSTEM.
>>>
>>> Sure, once I receive the logs I may ask you to get the ACLs for some
>> directories which will give us more clues.
>>
>>
>>> The same issue is also true for PostgreSQL 12.2. The last time this
>>> procedure worked that I know is with the installer for PostgreSQL 9.6.12.
>>>
>>> Kind regards
>>>
>>>
>>
>> Am Mo., 6. Apr. 2020 um 14:27 Uhr schrieb Sandeep Thakkar <
>> sandeep(dot)thakkar(at)enterprisedb(dot)com>:
>>
>>> Hi,
>>>
>>>
>>>
>>> On Fri, Apr 3, 2020 at 7:47 PM PG Bug reporting form <
>>> noreply(at)postgresql(dot)org> wrote:
>>>
>>>> The following bug has been logged on the website:
>>>>
>>>> Bug reference: 16341
>>>> Logged by: Enrico La Torre
>>>> Email address: pg(dot)dba(dot)iit(dot)team(at)gmail(dot)com
>>>> PostgreSQL version: 9.6.17
>>>> Operating system: Windows Server 2016
>>>> Description:
>>>>
>>>> Hi,
>>>>
>>>> it could be that the same bug was reported in
>>>>
>>>> https://www.postgresql.org/message-id/16001-fa33ba75a039fc7d%40postgresql.org
>>>> , but nobody answered until today.
>>>>
>>>> It is impossible for me to install PostgreSQL 9.6.17 with the
>>>> EnterpriseDB
>>>> installer (free Community Edition) on Windows Server 2016 in the
>>>> security
>>>> context of NT AUTHORITY\SYSTEM.
>>>
>>>
>>> Can you elaborate this please?
>>>
>>>
>>>> If I start the installer with a regular
>>>> domain admin account, which is also local administrator, the installer
>>>> starts.
>>>>
>>>> OK
>>>
>>>
>>>> I receive the error message:
>>>> "Error running icacls "C:\Windows\Temp/postgresql_installer_ca555e4059"
>>>> /T
>>>> /Q /grant "<DOMAIN>/<COMPUTERNAME>$:(OI)(CI)F":
>>>> C:\Windows\Temp/postgresql_installer_ca555e4059\*: Access is denied"
>>>>
>>>> I disclaimed The log file of the installer
>>>> 'C:\Windows\Temp\install-postgresql.log' is never written.
>>>>
>>>> There must be files starting with bitrock*
>>>
>>>
>>>> SYSTEM has FULL CONTROL for 'C:\Windows\Temp'. Created directories in
>>>> this
>>>> directory by SYSTEM inherit FULL CONTROL from the parent. But if I
>>>> check the
>>>> temporary directory '.\postgresql_installer_ca555e4059' I see that the
>>>> inheritance is disabled for this particular directory. Only the
>>>> principal
>>>> named <DOMAIN>/<COMPUTERNAME>$ has FULL CONTROL not SYSTEM.
>>>>
>>>> Sure, once I receive the logs I may ask you to get the ACLs for some
>>> directories which will give us more clues.
>>>
>>>
>>>> The same issue is also true for PostgreSQL 12.2. The last time this
>>>> procedure worked that I know is with the installer for PostgreSQL
>>>> 9.6.12.
>>>>
>>>> Kind regards
>>>>
>>>>
>>>
>>> --
>>> Sandeep Thakkar
>>>
>>>
>>>
>
> --
> Fahar Abbas
> QMG
> EnterpriseDB Corporation
> Phone Office: +92-51-835-8874
> Phone Direct: +92-51-8466803
> Mobile: +92-333-5409707
> Skype ID: *live:fahar.abbas*
> Website: www.enterprisedb.com
>

--
Fahar Abbas
QMG
EnterpriseDB Corporation
Phone Office: +92-51-835-8874
Phone Direct: +92-51-8466803
Mobile: +92-333-5409707
Skype ID: *live:fahar.abbas*
Website: www.enterprisedb.com