Add info on GSSAPI-related error when Kerberos is not installed (#437)

roji · web-flow · commit 6923700b13d7 · 2025-12-02T08:07:40.000Z
See npgsql/npgsql#6360
diff --git a/conceptual/Npgsql/release-notes/10.0.md b/conceptual/Npgsql/release-notes/10.0.md
@@ -80,6 +80,16 @@ With .NET 6 no longer supported by Npgsql, the PostgreSQL `cidr` type is now map
 
 Npgsql emits metrics and tracing data that provide various information about commands and connections. Since these were designed when the OpenTelemetry specifications were in an earlier stage, they did not align with current standard naming. Npgsql 10 changes metrics names and tracing span tags to better align with the standard, allowing Npgsql observability data to be tracked in dashboards just like other standards-conforming database drivers. If you already have a dashboard set up to consume Npgsql observability data, its configuration will need to change to accomodate the new naming.
 
+### Cannot load library libgssapi_krb5.so.2 when Kerberos is not installed
+
+Since Npgsql 10.0 defaults to trying GSSAPI session encryption, it may generate the following error on some Linux environments:
+
+```error
+Cannot load library libgssapi_krb5.so.2: cannot open shared object file: No such file or directory
+```
+
+Npgsql internally handles this and falls back to connecting without GSSAPI, so the error is harmless. You can specify `GSS Encryption Mode=Disable` to stop Npgsql from trying to use GSSAPI and remove the error.
+
 ### Only root CA certificate is used to validate TLS chain
 
 While establishing TLS connection with PostgreSQL, Npgsql will now only use the provided root CA certificate to validate TLS chain instead of using it in addition to the system CA store. This behaviour aligns with libpq and prevents establishing unintended connections.
diff --git a/conceptual/Npgsql/security.md b/conceptual/Npgsql/security.md
@@ -51,6 +51,11 @@ Require             | Only try a GSSAPI-encrypted connection.
 
 The default mode is `Prefer`, which allows GSS-API session encryption but does not require it.
 
+> [!NOTE]
+> Some Linux environments do not have Kerberos installed; since Npgsql 10.0 defaults to `Prefer`, it will attempt to get GSSAPI credentials, and may generate an error such as the following:
+> Cannot load library libgssapi_krb5.so.2: cannot open shared object file: No such file or directory
+> Npgsql internally handles this and falls back to connecting without GSSAPI, so the error is harmless. You can specify `GSS Encryption Mode=Disable` to stop Npgsql from trying to use GSSAPI and remove the error.
+
 ## Encryption (SSL/TLS)
 
 As an alternative to GSS-API, you can use SSL/TLS. First, you have to set up your PostgreSQL to receive SSL/TLS connections [as described here](http://www.postgresql.org/docs/current/static/ssl-tcp.html). Once that's done, specify `SSL Mode` in your connection string as detailed below.
