From: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Date: Thu, 26 Aug 2021 23:36:42 +0000 (+1200)
Subject: CVE-2020-25722 samba-tool spn add: remove --force option
X-Git-Tag: samba-4.13.14~124
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=47279630f17de392c66f6833f815e9bc39d714d7;p=thirdparty%2Fsamba.git

CVE-2020-25722 samba-tool spn add: remove --force option

This did not actually *force* the creation of a duplicate SPN, it just
ignored the client-side check for the existing copy. Soon we are going
to enforce SPN uniqueness on the server side, and this --force will not
work. This will make the --force test fail, and if that tests fail, so
will others that depend the duplicate values. So we remove those tests.

It is wrong-headed to try to make duplicate SPNs in any case, which is
probably why there is no sign of anyone ever having used this option.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14564

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
---

diff --git a/python/samba/netcmd/spn.py b/python/samba/netcmd/spn.py
index 46e9c59272a..2676ff34fac 100644
--- a/python/samba/netcmd/spn.py
+++ b/python/samba/netcmd/spn.py
@@ -89,12 +89,10 @@ class cmd_spn_add(Command):
     takes_options = [
         Option("-H", "--URL", help="LDB URL for database or target server",
                type=str, metavar="URL", dest="H"),
-        Option("--force", help="Force the addition of the spn"
-                               " even it exists already", action="store_true"),
     ]
     takes_args = ["name", "user"]
 
-    def run(self, name, user, H=None, force=False,
+    def run(self, name, user, H=None,
             credopts=None,
             sambaopts=None,
             versionopts=None):
@@ -105,7 +103,7 @@ class cmd_spn_add(Command):
         res = sam.search(
             expression="servicePrincipalName=%s" % ldb.binary_encode(name),
             scope=ldb.SCOPE_SUBTREE)
-        if len(res) != 0 and not force:
+        if len(res) != 0:
             raise CommandError("Service principal %s already"
                                " affected to another user" % name)
 
diff --git a/source4/setup/tests/blackbox_spn.sh b/source4/setup/tests/blackbox_spn.sh
index 429ace9494f..764ded4c88b 100755
--- a/source4/setup/tests/blackbox_spn.sh
+++ b/source4/setup/tests/blackbox_spn.sh
@@ -22,11 +22,8 @@ testit "addspn" $PYTHON $samba_tool spn add FOO/bar Administrator $CONFIG
 testit "delspn" $PYTHON $samba_tool spn delete FOO/bar $CONFIG
 testit "readdspn" $PYTHON $samba_tool spn add FOO/bar Administrator $CONFIG
 testit_expect_failure "failexistingspn" $PYTHON $samba_tool spn add FOO/bar Guest $CONFIG
-testit "existingspnforce" $PYTHON $samba_tool spn add --force FOO/bar Guest  $CONFIG
 testit_expect_failure "faildelspnnotgooduser" $PYTHON $samba_tool spn delete FOO/bar krbtgt $CONFIG
-testit_expect_failure "faildelspnmoreoneuser" $PYTHON $samba_tool spn delete FOO/bar $CONFIG
-testit "deluserspn" $PYTHON $samba_tool spn delete FOO/bar Guest $CONFIG
-testit "dellastuserspn" $PYTHON $samba_tool spn delete FOO/bar $CONFIG
+testit "deluserspn" $PYTHON $samba_tool spn delete FOO/bar $CONFIG
 testit_expect_failure "faildelspn" $PYTHON $samba_tool spn delete FOO/bar $CONFIG
 testit_expect_failure "failaddspn" $PYTHON $samba_tool spn add FOO/bar nonexistinguser $CONFIG