I manage Mac workstations for a large organization, we are required to have cached mobile accounts. Near as I can tell it's a bug in Mojave.
As I understand it, the mobile account works by caching the authentication authority of the domain onto the local workstation; when the workstation can see the DC, it authenticates against it and when it's offline it uses the local cache. In theory this is updated with the password or when the user logs in with the updated password.
Near as I can determine the sync process that facilitates this does not work in Mojave what-so-ever. Furthermore, very little mention of this issue is happening from what I can see, possibly due to the antiquated nature of the AD cached accounts in favor of NoMAD / JAMFConnect.
Mention of the issue appears here : https://www.macintouch.com/community/index.php?threads/mojave-macos-10-14.1223/page-7
What does work is removing the mobile account and recaching it.
Check what systems are locally cached:
sudo dscl . -list /Users AuthenticationAuthority | grep LocalCachedUser | awk '{print $1}'
Remove the account in question (can do it when logged in as that user):
sudo dscl . -delete /Users/[username]
Recreate the mobile user (can do when logged in as user):
sudo /System/Library/CoreServices/ManagedClient.app/Contents/Resources/createmobileaccount -P -v -n [username]
This will prompt for user password as ell as Secure Token FileVault authenticated user credentials
If you do not specify a password (-p) , the account's cached password will be created during the account's first log in.
reboot
User data should be totally fine as the account folders don't get touched in this...
Obviously this workaround is a pile of garbage - soon as the password changes it is back to being out of sync and broken...
If you use a solution like JAMF - you can script it all to happen after pwd change.
