Samba should check all of the KVNOs in the keytab, support old KVNO in the case where keytab is configured to use Kerberos keytab
Modern and all supported versions (eg 4.8 and above) of Samba do correctly handle multiple KVNOs in a keytab, either by correctly maintaining the KVNO (source4, ie the AD DC) or scanning all keys (source3, the file server). Likely fixed since the gensec work done for Samba 4.0.