You are correct, the client side Subject is not updated to be in "synch" with the server side Subject.
But there is nothing in JAAS and in the J2EE spec that is saying that it should be.
For example, WebSphere and WebLogic (I believe) are also not providing such mechanism.
In all three app server, the client side subject/login context is merly a mechanism to collect user credentials and setup the client security context that will be propagated to the server at each remote invocation (so the server side knows in which context - with which subject/principal - the remote call is made).
Your best option is to implement what you suggested (a method from an EJB on the server to retrieve roles manually).