From 489292ca09b69f673bbb8d1946a308d5ff6705c3 Mon Sep 17 00:00:00 2001 From: Shay Rojansky Date: Tue, 2 Dec 2025 09:00:59 +0100 Subject: [PATCH] Add info on GSSAPI-related error when Kerberos is not installed See https://github.com/npgsql/npgsql/issues/6360 --- conceptual/Npgsql/release-notes/10.0.md | 10 ++++++++++ conceptual/Npgsql/security.md | 5 +++++ 2 files changed, 15 insertions(+) diff --git a/conceptual/Npgsql/release-notes/10.0.md b/conceptual/Npgsql/release-notes/10.0.md index 58d2bf14..4d4f2bdd 100644 --- a/conceptual/Npgsql/release-notes/10.0.md +++ b/conceptual/Npgsql/release-notes/10.0.md @@ -80,6 +80,16 @@ With .NET 6 no longer supported by Npgsql, the PostgreSQL `cidr` type is now map Npgsql emits metrics and tracing data that provide various information about commands and connections. Since these were designed when the OpenTelemetry specifications were in an earlier stage, they did not align with current standard naming. Npgsql 10 changes metrics names and tracing span tags to better align with the standard, allowing Npgsql observability data to be tracked in dashboards just like other standards-conforming database drivers. If you already have a dashboard set up to consume Npgsql observability data, its configuration will need to change to accomodate the new naming. +### Cannot load library libgssapi_krb5.so.2 when Kerberos is not installed + +Since Npgsql 10.0 defaults to trying GSSAPI session encryption, it may generate the following error on some Linux environments: + +```error +Cannot load library libgssapi_krb5.so.2: cannot open shared object file: No such file or directory +``` + +Npgsql internally handles this and falls back to connecting without GSSAPI, so the error is harmless. You can specify `GSS Encryption Mode=Disable` to stop Npgsql from trying to use GSSAPI and remove the error. + ### Only root CA certificate is used to validate TLS chain While establishing TLS connection with PostgreSQL, Npgsql will now only use the provided root CA certificate to validate TLS chain instead of using it in addition to the system CA store. This behaviour aligns with libpq and prevents establishing unintended connections. diff --git a/conceptual/Npgsql/security.md b/conceptual/Npgsql/security.md index 35109382..517e5d88 100644 --- a/conceptual/Npgsql/security.md +++ b/conceptual/Npgsql/security.md @@ -51,6 +51,11 @@ Require | Only try a GSSAPI-encrypted connection. The default mode is `Prefer`, which allows GSS-API session encryption but does not require it. +> [!NOTE] +> Some Linux environments do not have Kerberos installed; since Npgsql 10.0 defaults to `Prefer`, it will attempt to get GSSAPI credentials, and may generate an error such as the following: +> Cannot load library libgssapi_krb5.so.2: cannot open shared object file: No such file or directory +> Npgsql internally handles this and falls back to connecting without GSSAPI, so the error is harmless. You can specify `GSS Encryption Mode=Disable` to stop Npgsql from trying to use GSSAPI and remove the error. + ## Encryption (SSL/TLS) As an alternative to GSS-API, you can use SSL/TLS. First, you have to set up your PostgreSQL to receive SSL/TLS connections [as described here](http://www.postgresql.org/docs/current/static/ssl-tcp.html). Once that's done, specify `SSL Mode` in your connection string as detailed below.