Major Description
I've found an interesting difference in behavior between macos/Oracle JDK 8.0_144 and Centos 7/OpenJDK 8.0_121 in the Sasl mechanism choosing code. On macos, it will not choose GSSAPI if Kerberos credentials aren't present, because Sasl.createSaslClient will throw a SaslException. On Centos 7 with OpenJDK, GSSAPI will be chosen, and the negotiation will fail during the first call to saslClient.evaluateChallenge (again, with a SaslException). I haven't gotten to the bottom of the difference in behavior, and whether the platform, JDK version, or both is involved.
Practically, the only effect this has is that unauthenticated clients on the Linux/OpenJDK platform will be unable to connect to authentication-optional servers, since the server will present GSSAPI as an option, the client will choose it, and then fail during evalueateChallenge.