diff --git a/kdc/bx509d.c b/kdc/bx509d.c
index 93bbfb6cb..142ea4a89 100644
--- a/kdc/bx509d.c
+++ b/kdc/bx509d.c
@@ -1825,6 +1825,7 @@ again:
     }
 
     MHD_stop_daemon(current);
+    _krb5_unload_plugins(context, "kdc");
     pthread_key_delete(k5ctx);
     return 0;
 }
diff --git a/kdc/main.c b/kdc/main.c
index 425d3ab42..a4a7ade12 100644
--- a/kdc/main.c
+++ b/kdc/main.c
@@ -174,6 +174,7 @@ main(int argc, char **argv)
     switch_environment();
 
     start_kdc(context, config, argv[0]);
+    _krb5_unload_plugins(context, "kdc");
     krb5_free_context(context);
     free(config);
     return 0;
diff --git a/kdc/process.c b/kdc/process.c
index ac5b7799b..bd9e418d4 100644
--- a/kdc/process.c
+++ b/kdc/process.c
@@ -98,6 +98,7 @@ _kdc_audit_addkv(kdc_request_t r, int flags, const char *k,
     }
 
     heim_array_append_value(r->kv, str);
+    heim_release(str);
 }
 
 void
@@ -360,7 +361,6 @@ process_request(krb5_context context,
     krb5_error_code ret;
     unsigned int i;
     int claim = 0;
-    heim_auto_release_t pool = heim_auto_release_create();
 
     r = calloc(sizeof(*r), 1);
     if (!r)
@@ -396,16 +396,16 @@ process_request(krb5_context context,
 		free(r->cname);
 		free(r->sname);
 		free(r->e_text_buf);
-		heim_release(r->kv);
 	    }
 
-	    heim_release(pool);
+            heim_release(r->kv);
+            free(r);
 	    return ret;
 	}
     }
 
-    heim_release(pool);
-
+    heim_release(r->kv);
+    free(r);
     return -1;
 }
 
diff --git a/kdc/test_csr_authorizer.c b/kdc/test_csr_authorizer.c
index b9cbf924f..8de75000b 100644
--- a/kdc/test_csr_authorizer.c
+++ b/kdc/test_csr_authorizer.c
@@ -72,6 +72,7 @@ main(int argc, char **argv)
         krb5_err(context, 1, ret, "Authorization failed");
     printf("Authorized!\n");
     krb5_free_principal(context, princ);
+    _krb5_unload_plugins(context, "kdc");
     krb5_free_context(context);
     hx509_request_free(&csr);
     /* FIXME There's no free function for config yet */
diff --git a/kdc/test_kdc_ca.c b/kdc/test_kdc_ca.c
index 18e92a212..a908b52ba 100644
--- a/kdc/test_kdc_ca.c
+++ b/kdc/test_kdc_ca.c
@@ -136,6 +136,7 @@ main(int argc, char **argv)
         if (ret != HX509_UNSUPPORTED_OPERATION)
             krb5_err(context, 1, ret,
                      "Could not store certificate and chain in %s", out);
+    _krb5_unload_plugins(context, "kdc");
     krb5_free_principal(context, p);
     krb5_free_context(context);
     hx509_request_free(&req);
diff --git a/kdc/test_token_validator.c b/kdc/test_token_validator.c
index 88b1cc47a..b4104d5b0 100644
--- a/kdc/test_token_validator.c
+++ b/kdc/test_token_validator.c
@@ -81,6 +81,8 @@ main(int argc, char **argv)
         printf("Token is valid.  Actual principal: %s\n", s);
     else
         printf("Token is valid.");
+    _krb5_unload_plugins(context, "kdc");
     krb5_free_principal(context, actual_princ);
+    krb5_free_context(context);
     return 0;
 }