This is almost definitely an Open Directory authentication issue. Problems with mounting network home directories generally produce an error dialog after login has been successful and the dock and desktop have appeared. A shaking login window means PasswordServer didn't authenticate the user.
Here are some things to try:
Global Open Directory Policies - Look in Server Admin.app -> Open Directory -> Settings -> Policy. Is the account violating any of these policies?
User Open Directory Policies - Look in Workgroup Manager.app -> Select the user -> Advanced -> Options. Anything in there that explains why they can't authenticate?
Password Server Log - The log you should be watching while the user attempts to log in is /Library/Logs/PasswordService/ApplePasswordServer.Server.log
.
Other Authentication Methods - You could try to isolate the issue by having the user attempt to connect to some other service. You could have them connect to AFP from some other computer that is already logged in. Or on the server, you could log in as an admin user and then type kinit <username>
in the terminal. See if it accepts the user's password there.
Look inside PasswordServer DB - As the admin user on your Open Directory master, do sudo mkpassdb -dump
and find the user in question. Find the hexidecimal slot ID, and then do sudo mkpassdb -dump 0x42f0a7b01234758e00220189001231ff
. Look closely under the Access Features to see if anything is amiss.