Shaking login with console error: Could not get a user record for [username] from Directory Services

Symptom

After binding a Mac AD account log-ins fail (shaking login).  Console logs report the following:

SecurityAgent[735] Could not get user record for 'username' from Directory ServicesSecurityAgent[735] User infor context values set for usernameSecurityAgent[735] unknown-user (username) login attempt PASSED for auditingSecurityAgent[735] Could not get the user record for 'username' from Directory Services

kinit [username] will generate a Kerberos ticket

id [username] will produce a list of LDAP info for the AD account


login [username] fails


Solution

If you see the Console log errors as described above it generally means that the computer is not able to create a mobile account at log-in.  Try creating a mobile account from Terminal first:


sudo /System/Library/CoreServices/ManagedClient.app/Contents/Resources/
createmobileaccount -n username
sudo createhomedir -c -u username

Log out and back in with the user's AD credentials.

Creating a mobile account after the fact: Mac

If you need to enable a mobile account after you have already set up a user's network account (and didn't create the mobile account at first log in) do the following:

On the client, log in as the local Administrator, and in Terminal
issue the command:

sudo /System/Library/CoreServices/ManagedClient.app/Contents/
Resources/createmobileaccount -vsn myusername /my/homedirectory

The variables "myusername" and "/my/homedirectory" are specific to
the account you are working with.

If you don't want syncing enabled, the argument is -vSn