diff --git a/lib/kadm5/acl.c b/lib/kadm5/acl.c
index d36d43fa8..fdee715f9 100644
--- a/lib/kadm5/acl.c
+++ b/lib/kadm5/acl.c
@@ -179,7 +179,7 @@ check_flags (unsigned op,
     if(res & KADM5_PRIV_GET)
 	return KADM5_AUTH_GET;
     if(res & KADM5_PRIV_GET_KEYS)
-	return KADM5_AUTH_GET;
+	return KADM5_AUTH_GET_KEYS;
     if(res & KADM5_PRIV_ADD)
 	return KADM5_AUTH_ADD;
     if(res & KADM5_PRIV_MODIFY)
diff --git a/lib/kadm5/kadm5_err.et b/lib/kadm5/kadm5_err.et
index 1f12d0f8d..35c620e72 100644
--- a/lib/kadm5/kadm5_err.et
+++ b/lib/kadm5/kadm5_err.et
@@ -62,3 +62,4 @@ error_code SETKEY3_ETYPE_MISMATCH,	"Key/salt tuples don't match keys"
 error_code DECRYPT_USAGE_NOSUPP,	"Given usage of kadm5_decrypt() not supported"
 error_code POLICY_OP_NOSUPP,	"Policy operations not supported"
 error_code KEEPOLD_NOSUPP,	"Keep old keys option not supported"
+error_code AUTH_GET_KEYS,	"Operation requires `get-keys' privilege"