Incorrect error from remote kadmin in get of undefined principle

[Cian Davis <davisc@skynet.ie>]

Hi All,
I've had a look through the archive and can't see this having come up
but I hope that I amn't posting something that's already solved...

I'm migrating from an OpenLDAP auth solution to a Heimdal/OpenLDAP
solution. I haven't been able to get pam_krb5_migrate to work properly
so I attempted at adapt
http://diamond.nonado.net/misc/krb5_migrate/krb5_migrate.txt.html to
auth off a remote kadmind rather than use kadmin -l

I'm using a keytab with a pam_migrate principal that has get and add
permissions on the KDC. From the command line, I can connect, get and
add. If I attempt a get of a principal that's in the KDC, no problem.
Returns as expected. However, if I attempt a get of an undefined
princple, I get a  keytab error.

Example:
Defined principle:
/usr/sbin/kadmin -a kerberos -K /etc/security/pam_krb5.keytab -p
pam_migrate get -s default
Principal  Expiration  PW-exp  PW-change  Max life  Max renew
default    never       never   never      1 day     1 week

Undefined principle:
 /usr/sbin/kadmin -a kerberos -K /etc/security/pam_krb5.keytab -p
pam_migrate get -s doesnotexistinkerberos
kadmin: get doesnotexistinkerberos: failed to find pam_migrate@REALM in
keytab /etc/security/pam_krb5.keytab (des3-cbc-md5)
Principal  Expiration  PW-exp  PW-change  Max life  Max renew

If I try it with kadmin -l on the KDC, I get:
/usr/sbin/kadmin -l get -s doesnotexistinkerberos
kadmin: get doesnotexistinkerberos: Principal does not exist
Principal  Expiration  PW-exp  PW-change  Max life  Max renew

Am I missing something or is this expected behaviour?

Regards,
Cian Davis