diff --git a/src/auth/AuthClientHandler.h b/src/auth/AuthClientHandler.h
index 0bebb74c447f8..69fbd6aeadeea 100644
--- a/src/auth/AuthClientHandler.h
+++ b/src/auth/AuthClientHandler.h
@@ -47,11 +47,6 @@ class AuthClientHandler {
     want = keys | CEPH_ENTITY_TYPE_AUTH;
     validate_tickets();
   }
-  void add_want_keys(__u32 keys) {
-    RWLock::WLocker l(lock);
-    want |= keys;
-    validate_tickets();
-  }   
 
   virtual int get_protocol() const = 0;
 
diff --git a/src/auth/KeyRing.cc b/src/auth/KeyRing.cc
index 527076df025f9..b946a298b48bb 100644
--- a/src/auth/KeyRing.cc
+++ b/src/auth/KeyRing.cc
@@ -233,6 +233,7 @@ int KeyRing::load(CephContext *cct, const std::string &filename)
   }
   catch (const buffer::error& err) {
     lderr(cct) << "error parsing file " << filename << dendl;
+    return -EIO;
   }
 
   ldout(cct, 2) << "KeyRing::load: loaded key file " << filename << dendl;
diff --git a/src/auth/cephx/CephxClientHandler.cc b/src/auth/cephx/CephxClientHandler.cc
index a314608cc2336..fe1f87a8510ce 100644
--- a/src/auth/cephx/CephxClientHandler.cc
+++ b/src/auth/cephx/CephxClientHandler.cc
@@ -167,7 +167,7 @@ int CephxClientHandler::handle_response(int ret, bufferlist::iterator& indata)
 	if (decode_decrypt(cct, secrets, secret_key, indata, error)) {
 	  ldout(cct, 0) << "could not set rotating key: decode_decrypt failed. error:"
 	    << error << dendl;
-	  error.clear();
+	  return -EINVAL;
 	} else {
 	  rotating_secrets->set_secrets(secrets);
 	}
diff --git a/src/auth/cephx/CephxKeyServer.cc b/src/auth/cephx/CephxKeyServer.cc
index 28b1437539586..cda1554375d99 100644
--- a/src/auth/cephx/CephxKeyServer.cc
+++ b/src/auth/cephx/CephxKeyServer.cc
@@ -296,15 +296,14 @@ bool KeyServer::contains(const EntityName& name) const
 int KeyServer::encode_secrets(Formatter *f, stringstream *ds) const
 {
   Mutex::Locker l(lock);
-
-  if (f)
-    f->open_array_section("auth_dump");
-
   map<EntityName, EntityAuth>::const_iterator mapiter = data.secrets_begin();
 
   if (mapiter == data.secrets_end())
     return -ENOENT;
 
+  if (f)
+    f->open_array_section("auth_dump");
+
   while (mapiter != data.secrets_end()) {
     const EntityName& name = mapiter->first;
     if (ds) {
@@ -458,6 +457,7 @@ int KeyServer::build_session_auth_info(uint32_t service_id, CephXServiceTicketIn
   info.service_secret = service_secret;
   info.secret_id = secret_id;
 
+  Mutex::Locker l(lock);
   return _build_session_auth_info(service_id, auth_ticket_info, info);
 }
 
diff --git a/src/auth/cephx/CephxKeyServer.h b/src/auth/cephx/CephxKeyServer.h
index 76b1c13630578..8e1bd183dcd59 100644
--- a/src/auth/cephx/CephxKeyServer.h
+++ b/src/auth/cephx/CephxKeyServer.h
@@ -241,10 +241,12 @@ class KeyServer : public KeyStore {
   }
 
   void clear_secrets() {
+    Mutex::Locker l(lock);
     data.clear_secrets();
   }
 
   void apply_data_incremental(KeyServerData::Incremental& inc) {
+    Mutex::Locker l(lock);
     data.apply_incremental(inc);
   }
   void set_ver(version_t ver) {
@@ -267,19 +269,16 @@ class KeyServer : public KeyStore {
     return (b != data.secrets_end());
   }
   int get_num_secrets() {
+    Mutex::Locker l(lock);
     return data.secrets.size();
   }
 
-  /*void add_rotating_secret(uint32_t service_id, ExpiringCryptoKey& key) {
-    Mutex::Locker l(lock);
-    data.add_rotating_secret(service_id, key);
-  }
-  */
   void clone_to(KeyServerData& dst) const {
     Mutex::Locker l(lock);
     dst = data;
   }
   void export_keyring(KeyRing& keyring) {
+    Mutex::Locker l(lock);
     for (map<EntityName, EntityAuth>::iterator p = data.secrets.begin();
 	 p != data.secrets.end();
 	 ++p) {
diff --git a/src/mon/AuthMonitor.cc b/src/mon/AuthMonitor.cc
index 9bfc81434f804..f5622a2207c0b 100644
--- a/src/mon/AuthMonitor.cc
+++ b/src/mon/AuthMonitor.cc
@@ -121,7 +121,7 @@ void AuthMonitor::update_from_paxos(bool *need_bootstrap)
   version_t keys_ver = mon->key_server.get_ver();
   if (version == keys_ver)
     return;
-  assert(version >= keys_ver);
+  assert(version > keys_ver);
 
   version_t latest_full = get_version_latest_full();
 
@@ -721,7 +721,7 @@ bool AuthMonitor::prepare_command(MonOpRequestRef op)
       ::decode(keyring, iter);
     } catch (const buffer::error &ex) {
       ss << "error decoding keyring" << " " << ex.what();
-      rs = err;
+      err = -EINVAL;
       goto done;
     }
     import_keyring(keyring);
diff --git a/src/mon/MonClient.h b/src/mon/MonClient.h
index 4e08ceb6d6c0a..2c7051bdb183f 100644
--- a/src/mon/MonClient.h
+++ b/src/mon/MonClient.h
@@ -382,12 +382,6 @@ class MonClient : public Dispatcher {
       auth->set_want_keys(want | CEPH_ENTITY_TYPE_MON);
   }
 
-  void add_want_keys(uint32_t want) {
-    want_keys |= want;
-    if (auth)
-      auth->add_want_keys(want);
-  }
-
   // admin commands
 private:
   uint64_t last_mon_command_tid;