diff --git a/scripts/CMakeLists.txt b/scripts/CMakeLists.txt
index e79ece53911..759104c040a 100644
--- a/scripts/CMakeLists.txt
+++ b/scripts/CMakeLists.txt
@@ -79,6 +79,7 @@ INSTALL(FILES
   ${CMAKE_CURRENT_SOURCE_DIR}/mysql_performance_tables.sql
   ${CMAKE_CURRENT_SOURCE_DIR}/fill_help_tables.sql
   ${CMAKE_CURRENT_SOURCE_DIR}/mysql_test_data_timezone.sql
+  ${CMAKE_CURRENT_SOURCE_DIR}/mysql_to_mariadb.sql
   ${FIX_PRIVILEGES_SQL}
   DESTINATION ${INSTALL_MYSQLSHAREDIR} COMPONENT Server
 )
diff --git a/scripts/mysql_to_mariadb.sql b/scripts/mysql_to_mariadb.sql
new file mode 100644
index 00000000000..4ee3f3a4214
--- /dev/null
+++ b/scripts/mysql_to_mariadb.sql
@@ -0,0 +1,22 @@
+-- Script that changes MySQL 5.7 privilege tables to MariaDB 10.x
+-- This should be run first with
+-- mysql --force mysql < mysql_to_mariadb.sql
+-- It's ok to ignore any errors, as these usually means that the tables are
+-- already fixed.
+
+-- After this script s run, one should run at least:
+-- mysql_upgrade --upgrade-system-tables
+-- to get the other tables in the mysql database fixed.
+
+-- Drop not existing columnms
+alter table mysql.user drop column `password_last_changed`, drop column `password_lifetime`, drop column `account_locked`;
+
+-- Change existing columns
+alter table mysql.user change column `authentication_string` `auth_string` text COLLATE utf8_bin NOT NULL;
+
+-- Add new columns
+alter table mysql.user add column  `Password` char(41) CHARACTER SET latin1 COLLATE latin1_bin NOT NULL DEFAULT '' after `user`, add column  `is_role` enum('N','Y') CHARACTER SET utf8 NOT NULL DEFAULT 'N' after `auth_string`;
+alter table mysql.user add column `default_role` char(80) COLLATE utf8_bin NOT NULL DEFAULT '', add column `max_statement_time` decimal(12,6) NOT NULL DEFAULT '0.000000';
+
+-- Fix passwords
+update mysql.user set `password`=`auth_string`, plugin='' where plugin="mysql_native_password";
diff --git a/sql/sql_acl.cc b/sql/sql_acl.cc
index d34f04ceb6f..3b6f8bc9f16 100644
--- a/sql/sql_acl.cc
+++ b/sql/sql_acl.cc
@@ -1263,15 +1263,12 @@ static bool acl_load(THD *thd, TABLE_LIST *tables)
   }
   freeze_size(&acl_hosts);
 
-  if (init_read_record(&read_record_info, thd, table=tables[USER_TABLE].table,
-                       NULL, 1, 1, FALSE))
-    goto end;
-  table->use_all_columns();
   (void) my_init_dynamic_array(&acl_users,sizeof(ACL_USER), 50, 100, MYF(0));
   (void) my_hash_init2(&acl_roles,50, &my_charset_utf8_bin,
                        0, 0, 0, (my_hash_get_key) acl_role_get_key, 0,
                        (void (*)(void *))free_acl_role, 0);
 
+  table= tables[USER_TABLE].table,
   username_char_length= MY_MIN(table->field[1]->char_length(),
                                USERNAME_CHAR_LENGTH);
   password_length= table->field[2]->field_length /
@@ -1283,6 +1280,10 @@ static bool acl_load(THD *thd, TABLE_LIST *tables)
     goto end;
   }
 
+  if (init_read_record(&read_record_info, thd, table, NULL, 1, 1, FALSE))
+    goto end;
+  table->use_all_columns();
+
   DBUG_PRINT("info",("user table fields: %d, password length: %d",
 		     table->s->fields, password_length));
 
@@ -1294,6 +1295,7 @@ static bool acl_load(THD *thd, TABLE_LIST *tables)
       mysql_mutex_unlock(&LOCK_global_system_variables);
       sql_print_error("Fatal error: mysql.user table is in old format, "
                       "but server started with --secure-auth option.");
+      end_read_record(&read_record_info);
       goto end;
     }
     mysql_user_table_is_in_short_password_format= true;