AD user can't log in until local admin account logs in

I have one computer where the user intermittently cannot log in to their mobile AD account. When this occurs, logging into the local administrator account and then logging out allows the user the log in normally. The issue is difficult to reproduce, but when it occurs, there is always similar output in secure.log. Here is a sanitized excerpt from the log, showing where the user rebooted and was not able to log in after. After that, you can see where I logged in with a local administrator account, and rebooted after that.

Oct 15 09:58:20 JA-S1-10656 shutdown[4788]: reboot by <EXAMPLE-USER>:

Oct 15 09:58:50 localhost com.apple.SecurityServer[21]: Session 100000 created

Oct 15 09:58:50 JA-S1-10656 com.apple.SecurityServer[21]: Entering service

Oct 15 09:58:50 JA-S1-10656 com.apple.SecurityServer[21]: Succeeded authorizing right 'com.apple.ServiceManagement.daemons.modify' by client '/usr/libexec/UserEventAgent' [11] for authorization created by '/usr/libexec/UserEventAgent' [11]

Oct 15 09:58:47 JA-S1-10656 com.apple.SecurityServer[21]: Session 100005 created

Oct 15 09:58:47 JA-S1-10656 loginwindow[63]: Login Window Started Security Agent

Oct 15 09:58:47 JA-S1-10656 SecurityAgent[178]: Echo enabled

Oct 15 09:58:49 JA-S1-10656 SecurityAgent[178]: spawn_via_launchd() failed, errno=5 label=[0x0-0x8008].com.apple.AppleSpell path=/System/Library/Services/AppleSpell.service/Contents/MacOS/AppleSpell flags=0

Oct 15 09:58:52 JA-S1-10656 com.apple.SecurityServer[21]: Succeeded authorizing right 'system.preferences' by client '/System/Library/PrivateFrameworks/Admin.framework/Versions/A/Resources/writeco nfig' [486] for authorization created by '/usr/sbin/systemsetup' [485]

Oct 15 09:59:01 JA-S1-10656 SecurityAgent[178]: Could not get the user record from OpenDirectory.

Oct 15 09:59:01 JA-S1-10656 SecurityAgent[178]: Will sleep 3 seconds and try again (retryCount = 10)

Oct 15 09:59:04 JA-S1-10656 SecurityAgent[178]: Could not get the user record from OpenDirectory.

Oct 15 09:59:04 JA-S1-10656 SecurityAgent[178]: Will sleep 3 seconds and try again (retryCount = 9)

Oct 15 09:59:07 JA-S1-10656 SecurityAgent[178]: Could not get the user record from OpenDirectory.

Oct 15 09:59:07 JA-S1-10656 SecurityAgent[178]: Will sleep 3 seconds and try again (retryCount = 8)

Oct 15 09:59:11 JA-S1-10656 SecurityAgent[178]: Could not get the user record from OpenDirectory.

Oct 15 09:59:11 JA-S1-10656 SecurityAgent[178]: Will sleep 3 seconds and try again (retryCount = 7)

Oct 15 09:59:14 JA-S1-10656 SecurityAgent[178]: Could not get the user record from OpenDirectory.

Oct 15 09:59:14 JA-S1-10656 SecurityAgent[178]: Will sleep 3 seconds and try again (retryCount = 6)

Oct 15 09:59:17 JA-S1-10656 SecurityAgent[178]: User info context values set for <EXAMPLE-USER>

Oct 15 09:59:17 JA-S1-10656 SecurityAgent[178]: Unknown user "<EXAMPLE-USER> " login attempt PASSED for auditing

Oct 15 09:59:42 JA-S1-10656 SecurityAgent[178]: User info context values set for <EXAMPLE-USER>

Oct 15 09:59:42 JA-S1-10656 SecurityAgent[178]: Unknown user "<EXAMPLE-USER> " login attempt PASSED for auditing

Oct 15 11:16:06 JA-S1-10656 SecurityAgent[178]: Could not get the user record from OpenDirectory.

Oct 15 11:16:06 JA-S1-10656 SecurityAgent[178]: Will sleep 3 seconds and try again (retryCount = 10)

Oct 15 11:16:09 JA-S1-10656 SecurityAgent[178]: Could not get the user record from OpenDirectory.

Oct 15 11:16:09 JA-S1-10656 SecurityAgent[178]: Will sleep 3 seconds and try again (retryCount = 9)

Oct 15 11:16:12 JA-S1-10656 SecurityAgent[178]: Could not get the user record from OpenDirectory.

Oct 15 11:16:12 JA-S1-10656 SecurityAgent[178]: Will sleep 3 seconds and try again (retryCount = 8)

Oct 15 11:16:15 JA-S1-10656 SecurityAgent[178]: User info context values set for <EXAMPLE-USER>

Oct 15 11:16:15 JA-S1-10656 SecurityAgent[178]: Unknown user "<EXAMPLE-USER> " login attempt PASSED for auditing

Oct 15 11:16:17 JA-S1-10656 SecurityAgent[178]: User info context values set for <EXAMPLE-USER>

Oct 15 11:16:17 JA-S1-10656 SecurityAgent[178]: Unknown user "<EXAMPLE-USER> " login attempt PASSED for auditing

Oct 15 11:16:18 JA-S1-10656 SecurityAgent[178]: User info context values set for <EXAMPLE-USER>

Oct 15 11:16:18 JA-S1-10656 SecurityAgent[178]: Unknown user "<EXAMPLE-USER> " login attempt PASSED for auditing

Oct 15 11:16:20 JA-S1-10656 SecurityAgent[178]: User info context values set for <EXAMPLE-USER>

Oct 15 11:16:20 JA-S1-10656 SecurityAgent[178]: Unknown user "<EXAMPLE-USER> " login attempt PASSED for auditing

____________________________________________________________

At this point, I logged in as localadmin (local administrator account)

____________________________________________________________

Oct 15 11:16:25 JA-S1-10656 SecurityAgent[178]: User info context values set for localadmin

Oct 15 11:16:25 JA-S1-10656 authorizationhost[660]: in pam_sm_authenticate(): Got user: localadmin

Oct 15 11:16:25 JA-S1-10656 authorizationhost[660]: in pam_sm_authenticate(): Got ruser: (null)

Oct 15 11:16:25 JA-S1-10656 authorizationhost[660]: in pam_sm_authenticate(): Got service: authorization

Oct 15 11:16:25 JA-S1-10656 authorizationhost[660]: in od_principal_for_user(): No authentication authority returned

Oct 15 11:16:25 JA-S1-10656 authorizationhost[660]: in od_principal_for_user(): failed: 7

Oct 15 11:16:25 JA-S1-10656 authorizationhost[660]: in pam_sm_authenticate(): Failed to determine Kerberos principal name.

Oct 15 11:16:25 JA-S1-10656 authorizationhost[660]: in pam_sm_authenticate(): Done cleanup3

Oct 15 11:16:25 JA-S1-10656 authorizationhost[660]: in pam_sm_authenticate(): Kerberos 5 refuses you

Oct 15 11:16:25 JA-S1-10656 authorizationhost[660]: in pam_sm_authenticate(): pam_sm_authenticate: ntlm

Oct 15 11:16:25 JA-S1-10656 authorizationhost[660]: in pam_sm_acct_mgmt(): OpenDirectory - Membership cache TTL set to 1800.

Oct 15 11:16:25 JA-S1-10656 authorizationhost[660]: in od_record_check_pwpolicy(): retval: 0

Oct 15 11:16:25 JA-S1-10656 authorizationhost[660]: in od_record_attribute_create_cfstring(): returned 3 attributes for dsAttrTypeStandard:AuthenticationAuthority

Oct 15 11:16:25 JA-S1-10656 authorizationhost[660]: in pam_sm_setcred(): Establishing credentials

Oct 15 11:16:25 JA-S1-10656 authorizationhost[660]: in pam_sm_setcred(): Got user: localadmin

Oct 15 11:16:25 JA-S1-10656 authorizationhost[660]: in pam_sm_setcred(): Context initialised

Oct 15 11:16:25 JA-S1-10656 authorizationhost[660]: in pam_sm_setcred(): Got euid, egid: 0 0

Oct 15 11:16:25 JA-S1-10656 authorizationhost[660]: in pam_sm_setcred(): Done getpwnam()

Oct 15 11:16:25 JA-S1-10656 authorizationhost[660]: in pam_sm_setcred(): Done setegid() & seteuid()

Oct 15 11:16:25 JA-S1-10656 authorizationhost[660]: in pam_sm_setcred(): pam_sm_setcred: krb5 user localadmin doesn't have a principal

Oct 15 11:16:25 JA-S1-10656 authorizationhost[660]: in pam_sm_setcred(): Done cleanup3

Oct 15 11:16:25 JA-S1-10656 authorizationhost[660]: in pam_sm_setcred(): Done seteuid() & setegid()

Oct 15 11:16:25 JA-S1-10656 authorizationhost[660]: in pam_sm_setcred(): Done cleanup4

Oct 15 11:16:25 JA-S1-10656 authorizationhost[660]: in pam_sm_setcred(): pam_sm_setcred: ntlm

Oct 15 11:16:25 JA-S1-10656 authorizationhost[660]: in pam_sm_setcred(): pam_sm_setcred: no domain found skipping

Oct 15 11:16:25 JA-S1-10656 SecurityAgent[178]: Login Window login proceeding

Oct 15 11:16:34 JA-S1-10656 com.apple.SecurityServer[21]: Succeeded authorizing right 'system.login.console' by client '/System/Library/CoreServices/loginwindow.app' [63] for authorization created by '/System/Library/CoreServices/loginwindow.app' [63]

Oct 15 11:16:34 JA-S1-10656 loginwindow[63]: Login Window - Returned from Security Agent

Oct 15 11:16:39 JA-S1-10656 com.apple.SecurityServer[21]: Succeeded authorizing right 'system.login.done' by client '/System/Library/CoreServices/loginwindow.app' [63] for authorization created by '/System/Library/CoreServices/loginwindow.app' [63]

Oct 15 11:17:01 JA-S1-10656 su[2203]: in pam_sm_authenticate(): authentication succeeded

Oct 15 11:17:01 JA-S1-10656 su[2203]: in pam_sm_acct_mgmt(): The root_only option means root only.

Oct 15 11:17:01 JA-S1-10656 su[2203]: in pam_sm_acct_mgmt(): OpenDirectory - Membership cache TTL set to 1800.

Oct 15 11:17:01 JA-S1-10656 su[2203]: in od_record_check_pwpolicy(): retval: 0

Oct 15 11:17:01 JA-S1-10656 su[2203]: in od_record_attribute_create_cfstring(): returned 3 attributes for dsAttrTypeStandard:AuthenticationAuthority

Oct 15 11:17:01 JA-S1-10656 su[2203]: in pam_sm_open_session(): No session type specified.

Oct 15 11:17:01 JA-S1-10656 su[2203]: in pam_sm_open_session(): Going to switch to (localadmin) 501's Background session

Oct 15 11:23:03 JA-S1-10656 com.apple.SecurityServer[21]: Session 100008 created

Oct 15 11:23:04 JA-S1-10656 shutdown[4030]: reboot by localadmin:

____________________________________________________________

At this point, I rebooted the machine and then logged in as the user successfully (the reboot was to try to reproduce the issue).

____________________________________________________________

Oct 15 11:23:04 JA-S1-10656 shutdown[4030]: reboot by localadmin:

Oct 15 11:23:15 localhost com.apple.SecurityServer[21]: Session 100000 created

Oct 15 11:23:15 JA-S1-10656 com.apple.SecurityServer[21]: Entering service

Oct 15 11:23:15 JA-S1-10656 com.apple.SecurityServer[21]: Succeeded authorizing right 'com.apple.ServiceManagement.daemons.modify' by client '/usr/libexec/UserEventAgent' [11] for authorization created by '/usr/libexec/UserEventAgent' [11]

Oct 15 11:23:22 JA-S1-10656 com.apple.SecurityServer[21]: Session 100005 created

Oct 15 11:23:22 JA-S1-10656 loginwindow[64]: Login Window Started Security Agent

Oct 15 11:23:23 JA-S1-10656 SecurityAgent[200]: Echo enabled

Oct 15 11:23:25 JA-S1-10656 SecurityAgent[200]: spawn_via_launchd() failed, errno=5 label=[0x0-0x8008].com.apple.AppleSpell path=/System/Library/Services/AppleSpell.service/Contents/MacOS/AppleSpell flags=0

Oct 15 11:23:26 JA-S1-10656 com.apple.SecurityServer[21]: Succeeded authorizing right 'system.preferences' by client '/System/Library/PrivateFrameworks/Admin.framework/Versions/A/Resources/writeco nfig' [346] for authorization created by '/usr/sbin/systemsetup' [345]

Oct 15 11:33:07 JA-S1-10656 SecurityAgent[200]: User info context values set for <EXAMPLE-USER>

Oct 15 11:33:07 JA-S1-10656 authorizationhost[4196]: in pam_sm_authenticate(): Got user: <EXAMPLE-USER>

Oct 15 11:33:07 JA-S1-10656 authorizationhost[4196]: in pam_sm_authenticate(): Got ruser: (null)

Oct 15 11:33:07 JA-S1-10656 authorizationhost[4196]: in pam_sm_authenticate(): Got service: authorization

Oct 15 11:33:07 JA-S1-10656 authorizationhost[4196]: in pam_sm_authenticate(): Context initialised

Oct 15 11:33:07 JA-S1-10656 authorizationhost[4196]: in pam_sm_authenticate(): Stashing kcm credentials in enviroment for kcminit: <EXAMPLE-USER>@<MY-AD-DOMAIN>

Oct 15 11:33:07 JA-S1-10656 authorizationhost[4196]: in pam_sm_authenticate(): pam_sm_authenticate: ntlm

Oct 15 11:33:07 JA-S1-10656 authorizationhost[4196]: in pam_sm_acct_mgmt(): OpenDirectory - Membership cache TTL set to 1800.

Oct 15 11:33:07 JA-S1-10656 authorizationhost[4196]: in od_record_check_pwpolicy(): retval: 0

Oct 15 11:33:07 JA-S1-10656 authorizationhost[4196]: in od_record_attribute_create_cfstring(): returned 3 attributes for dsAttrTypeStandard:AuthenticationAuthority

Oct 15 11:33:07 JA-S1-10656 authorizationhost[4196]: in pam_sm_setcred(): Establishing credentials

Oct 15 11:33:07 JA-S1-10656 authorizationhost[4196]: in pam_sm_setcred(): Got user: <EXAMPLE-USER>

Oct 15 11:33:07 JA-S1-10656 authorizationhost[4196]: in pam_sm_setcred(): Context initialised

Oct 15 11:33:07 JA-S1-10656 authorizationhost[4196]: in pam_sm_setcred(): Got euid, egid: 0 0

Oct 15 11:33:07 JA-S1-10656 authorizationhost[4196]: in pam_sm_setcred(): Done getpwnam()

Oct 15 11:33:07 JA-S1-10656 authorizationhost[4196]: in pam_sm_setcred(): Done setegid() & seteuid()

Oct 15 11:33:07 JA-S1-10656 authorizationhost[4196]: in pam_sm_setcred(): pam_sm_setcred: init credential cache

Oct 15 11:33:07 JA-S1-10656 authorizationhost[4196]: in pam_sm_setcred(): pam_sm_setcred: storing credential for: <EXAMPLE-USER>@<MY-AD-DOMAIN>

Oct 15 11:33:07 JA-S1-10656 authorizationhost[4196]: in pam_sm_setcred(): Got cache_name: API:428415818:1

Oct 15 11:33:07 JA-S1-10656 authorizationhost[4196]: in pam_sm_setcred(): Environment done: KRB5CCNAME=428415818:1

Oct 15 11:33:07 JA-S1-10656 authorizationhost[4196]: in pam_sm_setcred(): Cache closed

Oct 15 11:33:07 JA-S1-10656 authorizationhost[4196]: in pam_sm_setcred(): Done cleanup2

Oct 15 11:33:07 JA-S1-10656 authorizationhost[4196]: in pam_sm_setcred(): Done cleanup3

Oct 15 11:33:07 JA-S1-10656 authorizationhost[4196]: in pam_sm_setcred(): Done seteuid() & setegid()

Oct 15 11:33:07 JA-S1-10656 authorizationhost[4196]: in pam_sm_setcred(): Done cleanup4

Oct 15 11:33:07 JA-S1-10656 authorizationhost[4196]: in pam_sm_setcred(): pam_sm_setcred: ntlm

Oct 15 11:33:07 JA-S1-10656 authorizationhost[4196]: in pam_sm_setcred(): pam_sm_setcred: no domain found skipping

Oct 15 11:33:07 JA-S1-10656 SecurityAgent[200]: Login Window login proceeding

Any ideas what might be going on here? We do not use an OD server, if that is helpful.