diff --git a/kadmin/add_enctype.c b/kadmin/add_enctype.c
index 78b791c2e..0ababf4f1 100644
--- a/kadmin/add_enctype.c
+++ b/kadmin/add_enctype.c
@@ -82,13 +82,19 @@ add_enctype(struct add_enctype_options*opt, int argc, char **argv)
     ret = kadm5_get_principal(kadm_handle, princ_ent, &princ,
 			      KADM5_KVNO | KADM5_PRINCIPAL | KADM5_KEY_DATA);
     if (ret) {
-	krb5_free_principal (context, princ_ent);
-	krb5_warnx (context, "no such principal: %s", princ_name);
+	krb5_free_principal(context, princ_ent);
+	krb5_warnx(context, "no such principal: %s", princ_name);
 	goto out2;
     }
 
-    new_key_data   = malloc((princ.n_key_data + n_etypes)
-			    * sizeof(*new_key_data));
+    /* Check that we got key data */
+    if (kadm5_all_keys_are_bogus(princ.n_key_data, princ.key_data)) {
+	krb5_warnx(context, "user lacks get-keys privilege");
+	goto out;
+    }
+
+    new_key_data = calloc(princ.n_key_data + n_etypes,
+			  sizeof(*new_key_data));
     if (new_key_data == NULL) {
 	krb5_warnx (context, "out of memory");
 	goto out;