Can't make single sign on work to connect to server

The process you have described is LOCAL authorization to get on your local Mac. It does not use the Kerberos provided by the Server, so you will not get single sign-on that way.

You need to add Users to the LDAP database on the Server. Then allow Network users to log in at the local Mac. By doing that you use the SERVER sign-on (with Kerberos, but it looks that same) as your single-sign on.

EDIT: I see you have already made a breakthrough that will get you there.

The Server knows my MacBook...

The server could know there is another device at that IP address. It has no access to anything else on the local (non-Server) Mac. It does not collect information about that Mac beyond its IP Address and possibly its name.

To "interlock" and use Single-sign-on, you make the connection with binding (as you have done) then when logging in, look up the credentials in the Server Open Directory LDAP database rather than the local (on the Mac) database.

In Directory Utility, you have already set up your Authentication chain to use, in this order:

/Local/Default

/LDAPv3/<your-fully-qualified-domain-name>

so when you go to log in, accounts that do not appear locally will be sent to the Sever for authentication by the Server, and if authenticated, will return a Kerberos ticket-granting-ticket as well as logging in on the local Mac.

If the green light is showing the correct Server-name in Users & Groups > Login Options ....

then you have made the Binding required. Press on into Directory Utility and you see the actual chain used for this Authentication.

You can choose to bind securely by having the server exchanging certificates with the Mac, if you prefer. This is set up in Server.

then using my Server credentials to log back in. That doesn't work. You think it should?

If by "server credentials", you mean the Server Admin on the server, then NO. Only Accounts from the Open Directory LDAP database are Authenticated in this way, and the Server Admin is usually not in that database.

The Server Admin account can be used from another Mac for certain operations (e.g., to do screen sharing).

Log in to your MacBook.

launch screen sharing (after you have set it up on the Server computer)

specify the computer-name to connect to.

enter credentials. NB> In this obscure case, you are talking inDirectly to "ordinary" login ...

... on the computer that happens to be the Server, NOT using Single sign-on.

In certain obscure situations, logging in Directly on the Server Computer with a Network Username Precludes any Network Users' subsequent login. Be careful not to mess up your experiments in that way.

When it all works, it works well.

When it does not work, there is very little diagnostic information available to lead the way toward a solution.

Make certain you are not trying to use a name-reference to your Server that uses .local or .private -- those will NOT work.

You need a real or 'completely made-up but real-looking' three part fully qualified domain-name and a DNS set up to resolve to that, both forward and reverse lookup must resolve. Network Utility can be used on the client Mac to check that.

On the client mac, In System Preferences > Network > whatever medium...

... be sure you are using ONLY the IP address of that DNS server, and nothing else. The DNS lookup algorithm uses the first-specified DNS listed. It does NOT check the next ones unless the first one is DEAD. Putting your local DNS Server as the second entry does not work.

I am not sure this is an issue for you, but your Users folder on the Server (whatever its name) should have the [√] "Make available for Home Directories" box checked. (Mine has been renamed and relocated to a different Drive.)

.