CVE-2020-25722 samba-tool spn add: remove --force option

This did not actually *force* the creation of a duplicate SPN, it just
ignored the client-side check for the existing copy. Soon we are going
to enforce SPN uniqueness on the server side, and this --force will not
work. This will make the --force test fail, and if that tests fail, so
will others that depend the duplicate values. So we remove those tests.

It is wrong-headed to try to make duplicate SPNs in any case, which is
probably why there is no sign of anyone ever having used this option.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14564

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

python/samba/netcmd/spn.py

@@ -89,12 +89,10 @@ class cmd_spn_add(Command):
     takes_options = [
         Option("-H", "--URL", help="LDB URL for database or target server",
                type=str, metavar="URL", dest="H"),
-        Option("--force", help="Force the addition of the spn"
-                               " even it exists already", action="store_true"),
     ]
     takes_args = ["name", "user"]
 
-    def run(self, name, user, H=None, force=False,
+    def run(self, name, user, H=None,
             credopts=None,
             sambaopts=None,
             versionopts=None):
@@ -105,7 +103,7 @@ class cmd_spn_add(Command):
         res = sam.search(
             expression="servicePrincipalName=%s" % ldb.binary_encode(name),
             scope=ldb.SCOPE_SUBTREE)
-        if len(res) != 0 and not force:
+        if len(res) != 0:
             raise CommandError("Service principal %s already"
                                " affected to another user" % name)