In the Samba AD the same SPN can be specified for different accounts, but a SPN should be unique. If two or more objects have the same SPN, the client can not get a ticket for this service, anymore. This is easily reproducible by copying the SPNs from one computer object to another and try to get a ticket for the service. The request for a ticket then fails on the DC with: [2020/02/27 13:30:24.111645, 3, pid=7549, effective(0, 0), real(0, 0), class=kerberos] ../../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper) Kerberos: Server not found in database: cifs/...: no such entry found in hdb [2020/02/27 13:30:24.111682, 3, pid=7549, effective(0, 0), real(0, 0), class=kerberos] ../../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper) Kerberos: Failed building TGS-REP to ipv4:... MS Windows does not allow adding the same SPN to different objects. The Windows LDAP answers the attempt with LDAP_CONSTRAINT_VIOLATION.
The right place for restricting things like this would be the samldb module.