I've noticed two additional kerberos sasl mechanisms that aren't blacklisted
[0xb80670]:0 <- @sasl-mechanisms(64) [sasl-server-mechanisms=@PN_SYMBOL[:"GS2-IAKERB", :"GS2-KRB5", :"SCRAM-SHA-1", :"SCRAM-SHA-256", :GSSAPI, :"GSS-SPNEGO", :"DIGEST-MD5", :OTP, :"CRAM-MD5", :ANONYMOUS]]
They are GS2-IAKERB and GS2-KRB5. The GS2-KRB5 is the problematic one, allowing GS2-IAKERB does not stop proton from trying ANONYMOUS eventually.
When GS2-KRB5 is enabled, I get this failure instead (in ctest tests, test 23, or when connecting sender example to broker example)
23: amqp:unauthorized-access: SASL(-1): generic failure: GS2 Error: Unspecified GSS failure. Minor code may provide more information (Ticket expired) (Authentication failed [mech=none])
I think those must be new. They appear on macOS, or if I install all cyrus-sasl packages on RHEL 7.7 or RHEL 8.1.