diff --git a/executor/grant.go b/executor/grant.go
index 4225043e21fd0..e8fe3b4291140 100644
--- a/executor/grant.go
+++ b/executor/grant.go
@@ -70,7 +70,9 @@ func (e *GrantExec) Next(ctx context.Context, chk *chunk.Chunk) error {
 		if err != nil {
 			return errors.Trace(err)
 		}
-		if !exists {
+		if !exists && e.ctx.GetSessionVars().SQLMode.HasNoAutoCreateUserMode() {
+			return ErrPasswordNoMatch
+		} else if !exists {
 			pwd, ok := user.EncodedPassword()
 			if !ok {
 				return errors.Trace(ErrPasswordFormat)
diff --git a/executor/grant_test.go b/executor/grant_test.go
index bb3d33262ebea..eff26c2e60680 100644
--- a/executor/grant_test.go
+++ b/executor/grant_test.go
@@ -19,6 +19,8 @@ import (
 
 	. "github.com/pingcap/check"
 	"github.com/pingcap/parser/mysql"
+	"github.com/pingcap/parser/terror"
+	"github.com/pingcap/tidb/executor"
 	"github.com/pingcap/tidb/util/testkit"
 )
 
@@ -181,14 +183,26 @@ func (s *testSuite) TestIssue2456(c *C) {
 	tk.MustExec("GRANT ALL PRIVILEGES ON `dddb_%`.`te%` to 'dduser'@'%';")
 }
 
+func (s *testSuite) TestNoAutoCreateUser(c *C) {
+	tk := testkit.NewTestKit(c, s.store)
+	tk.MustExec(`DROP USER IF EXISTS 'test'@'%'`)
+	tk.MustExec(`SET sql_mode='NO_AUTO_CREATE_USER'`)
+	_, err := tk.Exec(`GRANT ALL PRIVILEGES ON *.* to 'test'@'%' IDENTIFIED BY 'xxx'`)
+	c.Check(err, NotNil)
+	c.Assert(terror.ErrorEqual(err, executor.ErrPasswordNoMatch), IsTrue)
+}
+
 func (s *testSuite) TestCreateUserWhenGrant(c *C) {
 	tk := testkit.NewTestKit(c, s.store)
 	tk.MustExec(`DROP USER IF EXISTS 'test'@'%'`)
+	// This only applies to sql_mode:NO_AUTO_CREATE_USER off
+	tk.MustExec(`SET SQL_MODE=''`)
 	tk.MustExec(`GRANT ALL PRIVILEGES ON *.* to 'test'@'%' IDENTIFIED BY 'xxx'`)
 	// Make sure user is created automatically when grant to a non-exists one.
 	tk.MustQuery(`SELECT user FROM mysql.user WHERE user='test' and host='%'`).Check(
 		testkit.Rows("test"),
 	)
+	tk.MustExec(`DROP USER IF EXISTS 'test'@'%'`)
 }
 
 func (s *testSuite) TestIssue2654(c *C) {
diff --git a/executor/simple_test.go b/executor/simple_test.go
index 0564f01bc6f87..ffd819d98d845 100644
--- a/executor/simple_test.go
+++ b/executor/simple_test.go
@@ -181,7 +181,6 @@ func (s *testSuite) TestUser(c *C) {
 		"localhost test testDB Y Y Y Y Y Y Y N Y Y N N N N N N Y N N",
 		"localhost test testDB1 Y Y Y Y Y Y Y N Y Y N N N N N N Y N N",
 		"% dddb_% dduser Y Y Y Y Y Y Y N Y Y N N N N N N Y N N",
-		"% test test Y N N N N N N N N N N N N N N N N N N",
 		"localhost test testDBRevoke N N N N N N N N N N N N N N N N N N N",
 	))
 
diff --git a/session/session_test.go b/session/session_test.go
index 57aa93e0477c4..76b9b12272d83 100644
--- a/session/session_test.go
+++ b/session/session_test.go
@@ -2034,8 +2034,9 @@ func (s *testSessionSuite) TestDBUserNameLength(c *C) {
 	tk := testkit.NewTestKitWithInit(c, s.store)
 	tk.MustExec("create table if not exists t (a int)")
 	// Test user name length can be longer than 16.
-	tk.MustExec(`grant all privileges on test.* to 'abcddfjakldfjaldddds'@'%' identified by ''`)
-	tk.MustExec(`grant all privileges on test.t to 'abcddfjakldfjaldddds'@'%' identified by ''`)
+	tk.MustExec(`CREATE USER 'abcddfjakldfjaldddds'@'%' identified by ''`)
+	tk.MustExec(`grant all privileges on test.* to 'abcddfjakldfjaldddds'@'%'`)
+	tk.MustExec(`grant all privileges on test.t to 'abcddfjakldfjaldddds'@'%'`)
 }
 
 func (s *testSessionSuite) TestKVVars(c *C) {