diff --git a/lib/kadm5/get_princs_s.c b/lib/kadm5/get_princs_s.c
index 5bbaa6e08..27fac2bbb 100644
--- a/lib/kadm5/get_princs_s.c
+++ b/lib/kadm5/get_princs_s.c
@@ -98,7 +98,9 @@ kadm5_s_get_principals(void *server_handle,
 	krb5_realm r;
 	int aret;
 
-	krb5_get_default_realm(context->context, &r);
+	ret = krb5_get_default_realm(context->context, &r);
+        if (ret)
+            goto out;
 	aret = asprintf(&d.exp2, "%s@%s", expression, r);
 	free(r);
 	if (aret == -1 || d.exp2 == NULL) {
diff --git a/lib/kadm5/get_s.c b/lib/kadm5/get_s.c
index 7e741592c..0c87343d2 100644
--- a/lib/kadm5/get_s.c
+++ b/lib/kadm5/get_s.c
@@ -296,8 +296,7 @@ kadm5_s_get_principal(void *server_handle,
 	krb5_free_salt(context->context, salt);
 	assert( out->n_key_data == n_keys );
     }
-    if (ret)
-	goto out;
+    assert(ret == 0);
     if(mask & KADM5_TL_DATA) {
 	time_t last_pw_expire;
 	const HDB_Ext_PKINIT_acl *acl;
@@ -324,6 +323,8 @@ kadm5_s_get_principal(void *server_handle,
 	    unsigned char buf[4];
 	    _krb5_put_int(buf, last_pw_expire, sizeof(buf));
 	    ret = add_tl_data(out, KRB5_TL_LAST_PWD_CHANGE, buf, sizeof(buf));
+            if (ret)
+                goto out;
 	}
 
         ret = hdb_entry_get_krb5_config(&ent, &krb5_config);
diff --git a/lib/kadm5/rename_s.c b/lib/kadm5/rename_s.c
index f572dff34..914331817 100644
--- a/lib/kadm5/rename_s.c
+++ b/lib/kadm5/rename_s.c
@@ -136,7 +136,9 @@ kadm5_s_rename_principal(void *server_handle,
 	Salt salt;
 	krb5_salt salt2;
 	memset(&salt, 0, sizeof(salt));
-	krb5_get_pw_salt(context->context, source, &salt2);
+	ret = krb5_get_pw_salt(context->context, source, &salt2);
+        if (ret)
+            goto out3;
 	salt.type = hdb_pw_salt;
 	salt.salt = salt2.saltvalue;
 	for(i = 0; i < ent.keys.len; i++){