Skip to content

Add info on GSSAPI-related error when Kerberos is not installed #437

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
roji merged 1 commit into from
Dec 2, 2025
Merged

Add info on GSSAPI-related error when Kerberos is not installed #437

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
10 changes: 10 additions & 0 deletions conceptual/Npgsql/release-notes/10.0.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -80,6 +80,16 @@ With .NET 6 no longer supported by Npgsql, the PostgreSQL `cidr` type is now map

Npgsql emits metrics and tracing data that provide various information about commands and connections. Since these were designed when the OpenTelemetry specifications were in an earlier stage, they did not align with current standard naming. Npgsql 10 changes metrics names and tracing span tags to better align with the standard, allowing Npgsql observability data to be tracked in dashboards just like other standards-conforming database drivers. If you already have a dashboard set up to consume Npgsql observability data, its configuration will need to change to accomodate the new naming.

### Cannot load library libgssapi_krb5.so.2 when Kerberos is not installed

Since Npgsql 10.0 defaults to trying GSSAPI session encryption, it may generate the following error on some Linux environments:

```error
Cannot load library libgssapi_krb5.so.2: cannot open shared object file: No such file or directory
```

Npgsql internally handles this and falls back to connecting without GSSAPI, so the error is harmless. You can specify `GSS Encryption Mode=Disable` to stop Npgsql from trying to use GSSAPI and remove the error.

### Only root CA certificate is used to validate TLS chain

While establishing TLS connection with PostgreSQL, Npgsql will now only use the provided root CA certificate to validate TLS chain instead of using it in addition to the system CA store. This behaviour aligns with libpq and prevents establishing unintended connections.
Expand Down
5 changes: 5 additions & 0 deletions conceptual/Npgsql/security.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -51,6 +51,11 @@ Require | Only try a GSSAPI-encrypted connection.

The default mode is `Prefer`, which allows GSS-API session encryption but does not require it.

> [!NOTE]
> Some Linux environments do not have Kerberos installed; since Npgsql 10.0 defaults to `Prefer`, it will attempt to get GSSAPI credentials, and may generate an error such as the following:
> Cannot load library libgssapi_krb5.so.2: cannot open shared object file: No such file or directory
> Npgsql internally handles this and falls back to connecting without GSSAPI, so the error is harmless. You can specify `GSS Encryption Mode=Disable` to stop Npgsql from trying to use GSSAPI and remove the error.

## Encryption (SSL/TLS)

As an alternative to GSS-API, you can use SSL/TLS. First, you have to set up your PostgreSQL to receive SSL/TLS connections [as described here](http://www.postgresql.org/docs/current/static/ssl-tcp.html). Once that's done, specify `SSL Mode` in your connection string as detailed below.
Expand Down