Although users can login via the GUI and vastool user checkaccess shows they have access, users can not ssh in.
syslog or debug will look something like the following like the following:
pam_vas: Authentication <succeeded> for <Active Directory> user: <bob> account: firstname.lastname@example.org service: <sshd> reason: <N/A> Access Control Identifier
pam_sm_acct_mgmt(): OpenDirectory - Membership cache TTL set to 1800.
error: PAM: permission denied for bob from 10.10.10.10
Connection closed by 10.10.10.10 [preauth]
On MAC Client allow the user permission to remote login
System Preferences -> Sharing -> Remote Login