diff --git a/kdc/524.c b/kdc/524.c
index 54ae2c438..2bb409056 100644
--- a/kdc/524.c
+++ b/kdc/524.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 1997-2000 Kungliga Tekniska Högskolan
+ * Copyright (c) 1997-2001 Kungliga Tekniska Högskolan
  * (Royal Institute of Technology, Stockholm, Sweden). 
  * All rights reserved. 
  *
@@ -63,12 +63,15 @@ fetch_server (const Ticket *t,
 	kdc_log(0, "krb5_unparse_name: %s", krb5_get_err_text(context, ret));
 	return ret;
     }
-    *server = db_fetch(sprinc);
+    ret = db_fetch(sprinc, server);
     krb5_free_principal(context, sprinc);
-    if(*server == NULL){
-	kdc_log(0, "Request to convert ticket from %s for unknown principal %s",
-		from, *spn);
-	return KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN;
+    if (ret) {
+	kdc_log(0,
+	"Request to convert ticket from %s for unknown principal %s: %s",
+		from, *spn, krb5_get_err_text(context, ret));
+	if (ret == ENOENT)
+	    ret = KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN;
+	return ret;
     }
     return 0;
 }
diff --git a/kdc/kdc_locl.h b/kdc/kdc_locl.h
index 7a52785f9..c49c60f4e 100644
--- a/kdc/kdc_locl.h
+++ b/kdc/kdc_locl.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 1997-2000 Kungliga Tekniska Högskolan
+ * Copyright (c) 1997-2001 Kungliga Tekniska Högskolan
  * (Royal Institute of Technology, Stockholm, Sweden). 
  * All rights reserved. 
  *
@@ -80,7 +80,7 @@ extern struct timeval now;
 
 krb5_error_code as_rep (KDC_REQ*, krb5_data*, const char*, struct sockaddr*);
 void configure (int, char**);
-hdb_entry* db_fetch (krb5_principal);
+krb5_error_code db_fetch (krb5_principal, hdb_entry**);
 void free_ent(hdb_entry *);
 void kdc_log (int, const char*, ...)
     __attribute__ ((format (printf, 2,3)));
@@ -99,7 +99,7 @@ krb5_error_code check_flags(hdb_entry *client, const char *client_name,
 			    krb5_boolean is_as_req);
 
 #ifdef KRB4
-hdb_entry* db_fetch4 (const char*, const char*, const char*);
+krb5_error_code db_fetch4 (const char*, const char*, const char*, hdb_entry**);
 krb5_error_code do_524 (const Ticket*, krb5_data*, const char*, struct sockaddr*);
 krb5_error_code do_version4 (unsigned char*, size_t, krb5_data*, const char*, 
 			     struct sockaddr_in*);
diff --git a/kdc/kerberos4.c b/kdc/kerberos4.c
index d7f340b7a..8eedac673 100644
--- a/kdc/kerberos4.c
+++ b/kdc/kerberos4.c
@@ -37,8 +37,6 @@ RCSID("$Id$");
 
 #ifdef KRB4
 
-#include "kerberos4.h"
-
 #ifndef swap32
 static u_int32_t
 swap32(u_int32_t x)
@@ -81,9 +79,10 @@ valid_princ(krb5_context context, krb5_principal princ)
     ret = krb5_unparse_name(context, princ, &s);
     if (ret)
 	return 0;
-    ent = db_fetch(princ);
-    if(ent == NULL){
-	kdc_log(7, "Lookup %s failed", s);
+    ret = db_fetch(princ, &ent);
+    if (ret) {
+	kdc_log(7, "Lookup %s failed: %s", s,
+		krb5_get_err_text (context, ret));
 	free(s);
 	return 0;
     }
@@ -93,20 +92,20 @@ valid_princ(krb5_context context, krb5_principal princ)
     return 1;
 }
 
-hdb_entry*
-db_fetch4(const char *name, const char *instance, const char *realm)
+krb5_error_code
+db_fetch4(const char *name, const char *instance, const char *realm,
+	  hdb_entry **ent)
 {
     krb5_principal p;
-    hdb_entry *ent;
     krb5_error_code ret;
     
     ret = krb5_425_conv_principal_ext(context, name, instance, realm, 
 				      valid_princ, 0, &p);
     if(ret)
-	return NULL;
-    ent = db_fetch(p);
+	return ret;
+    ret = db_fetch(p, ent);
     krb5_free_principal(context, p);
-    return ent;
+    return ret;
 }
 
 krb5_error_code
@@ -228,15 +227,17 @@ do_version4(unsigned char *buf,
 	kdc_log(0, "AS-REQ %s from %s for %s",
 		client_name, from, server_name);
 
-	client = db_fetch4(name, inst, realm);
-	if(client == NULL){
-	    kdc_log(0, "Client not found in database: %s", client_name);
+	ret = db_fetch4(name, inst, realm, &client);
+	if(ret) {
+	    kdc_log(0, "Client not found in database: %s: %s",
+		    client_name, krb5_get_err_text(context, ret));
 	    make_err_reply(reply, KERB_ERR_PRINCIPAL_UNKNOWN, NULL);
 	    goto out1;
 	}
-	server = db_fetch4(sname, sinst, v4_realm);
-	if(server == NULL){
-	    kdc_log(0, "Server not found in database: %s", server_name);
+	ret = db_fetch4(sname, sinst, v4_realm, &server);
+	if(ret){
+	    kdc_log(0, "Server not found in database: %s: %s",
+		    server_name, krb5_get_err_text(context, ret));
 	    make_err_reply(reply, KERB_ERR_PRINCIPAL_UNKNOWN, NULL);
 	    goto out1;
 	}
@@ -354,12 +355,13 @@ do_version4(unsigned char *buf,
 	    goto out2;
 	}
 
-	tgt = db_fetch(tgt_princ);
-	if(tgt == NULL){
+	ret = db_fetch(tgt_princ, &tgt);
+	if(ret){
 	    char *s;
 	    s = kdc_log_msg(0, "Ticket-granting ticket not "
-			    "found in database: krbtgt.%s@%s", 
-			    realm, v4_realm);
+			    "found in database: krbtgt.%s@%s: %s", 
+			    realm, v4_realm,
+			    krb5_get_err_text(context, ret));
 	    make_err_reply(reply, KFAILURE, s);
 	    free(s);
 	    goto out2;
@@ -430,22 +432,23 @@ do_version4(unsigned char *buf,
 	}
 	
 #if 0
-	client = db_fetch4(ad.pname, ad.pinst, ad.prealm);
-	if(client == NULL){
+	ret = db_fetch4(ad.pname, ad.pinst, ad.prealm, &client);
+	if(ret){
 	    char *s;
-	    s = kdc_log_msg(0, "Client not found in database: %s.%s@%s", 
-			    ad.pname, ad.pinst, ad.prealm);
+	    s = kdc_log_msg(0, "Client not found in database: %s.%s@%s: %s", 
+			    ad.pname, ad.pinst, ad.prealm,
+			    krb5_get_err_text(context, ret));
 	    make_err_reply(reply, KERB_ERR_PRINCIPAL_UNKNOWN, s);
 	    free(s);
 	    goto out2;
 	}
 #endif
 	
-	server = db_fetch4(sname, sinst, v4_realm);
-	if(server == NULL){
+	ret = db_fetch4(sname, sinst, v4_realm, &server);
+	if(ret){
 	    char *s;
-	    s = kdc_log_msg(0, "Server not found in database: %s",
-			    server_name);
+	    s = kdc_log_msg(0, "Server not found in database: %s: %s",
+			    server_name, krb5_get_err_text(context, ret));
 	    make_err_reply(reply, KERB_ERR_PRINCIPAL_UNKNOWN, s);
 	    free(s);
 	    goto out2;
diff --git a/kdc/kerberos5.c b/kdc/kerberos5.c
index 4af2d796e..6f2f54bcf 100644
--- a/kdc/kerberos5.c
+++ b/kdc/kerberos5.c
@@ -469,17 +469,18 @@ as_rep(KDC_REQ *req,
     if(ret)
 	goto out;
 
-    client = db_fetch(client_princ);
-    if(client == NULL){
-	kdc_log(0, "UNKNOWN -- %s", client_name);
+    ret = db_fetch(client_princ, &client);
+    if(ret){
+	kdc_log(0, "UNKNOWN -- %s: %s", client_name,
+		krb5_get_err_text(context, ret));
 	ret = KRB5KDC_ERR_C_PRINCIPAL_UNKNOWN;
 	goto out;
     }
 
-    server = db_fetch(server_princ);
-
-    if(server == NULL){
-	kdc_log(0, "UNKNOWN -- %s", server_name);
+    ret = db_fetch(server_princ, &server);
+    if(ret){
+	kdc_log(0, "UNKNOWN -- %s: %s", server_name,
+		krb5_get_err_text(context, ret));
 	ret = KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN;
 	goto out;
     }
@@ -1350,12 +1351,13 @@ tgs_rep2(KDC_REQ_BODY *b,
 				 ap_req.ticket.sname,
 				 ap_req.ticket.realm);
     
-    krbtgt = db_fetch(princ);
+    ret = db_fetch(princ, &krbtgt);
 
-    if(krbtgt == NULL) {
+    if(ret) {
 	char *p;
 	krb5_unparse_name(context, princ, &p);
-	kdc_log(0, "Ticket-granting ticket not found in database: %s", p);
+	kdc_log(0, "Ticket-granting ticket not found in database: %s: %s",
+		p, krb5_get_err_text(context, ret));
 	free(p);
 	ret = KRB5KRB_AP_ERR_NOT_US;
 	goto out2;
@@ -1510,10 +1512,11 @@ tgs_rep2(KDC_REQ_BODY *b,
 		goto out2;
 	    }
 	    principalname2krb5_principal(&p, t->sname, t->realm);
-	    uu = db_fetch(p);
+	    ret = db_fetch(p, &uu);
 	    krb5_free_principal(context, p);
-	    if(uu == NULL){
-		ret = KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN;
+	    if(ret){
+		if (ret == ENOENT)
+		    ret = KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN;
 		goto out;
 	    }
 	    ret = hdb_enctype2key(context, uu, t->enc_part.etype, &tkey);
@@ -1541,10 +1544,9 @@ tgs_rep2(KDC_REQ_BODY *b,
 	else
 	    kdc_log(0, "TGS-REQ %s from %s for %s", cpn, from, spn);
     server_lookup:
-	server = db_fetch(sp);
-    
+	ret = db_fetch(sp, &server);
 
-	if(server == NULL){
+	if(ret){
 	    Realm req_rlm, new_rlm;
 	    if(loop++ < 2 && (req_rlm = is_krbtgt(&sp->name))){
 		new_rlm = find_rpath(req_rlm);
@@ -1559,19 +1561,24 @@ tgs_rep2(KDC_REQ_BODY *b,
 		    goto server_lookup;
 		}
 	    }
-	    kdc_log(0, "Server not found in database: %s", spn);
-	    ret = KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN;
+	    kdc_log(0, "Server not found in database: %s: %s", spn,
+		    krb5_get_err_text(context, ret));
+	    if (ret == ENOENT)
+		ret = KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN;
 	    goto out;
 	}
 
-	client = db_fetch(cp);
-	if(client == NULL)
-	    kdc_log(1, "Client not found in database: %s", cpn);
+	ret = db_fetch(cp, &client);
+	if(ret)
+	    kdc_log(1, "Client not found in database: %s: %s",
+		    cpn, krb5_get_err_text(context, ret));
 #if 0
 	/* XXX check client only if same realm as krbtgt-instance */
-	if(client == NULL){
-	    kdc_log(0, "Client not found in database: %s", cpn);
-	    ret = KRB5KDC_ERR_C_PRINCIPAL_UNKNOWN;
+	if(ret){
+	    kdc_log(0, "Client not found in database: %s: %s",
+		    cpn, krb5_get_err_text(context, ret));
+	    if (ret == ENOENT)
+		ret = KRB5KDC_ERR_C_PRINCIPAL_UNKNOWN;
 	    goto out;
 	}
 #endif