In newer kernels, if you are using the request-key method for idmapping, rpc.idmapd doesn't actually need to be running. While the /etc/idmapd.conf file is still used for configuring the nfsv4 domain, the rpc.idmapd binary is not used.
However, it always starts because it is "need"ed by the nfsclient init script.
Ideally I suppose the script could dynamically determine if it is needed by checking the kernel version and possible kernel options and the presence of the /etc/request-key.d/id_resolver.conf file, but I think it would probably be simpler to just change the "need" to a "use" and require the user to explicitly enable it if their configuration requires it.
Hmm, I didn't think to look initially, but I see /etc/conf.d/nfsclient already has this comment:
# If you are using only nfsv3, uncomment this line:
I suppose a simple fix might be just changing that comment to "If you are using only nfsv3 or nfsv4 idmapping with the request-key upcall method".
*** This bug has been marked as a duplicate of bug 413173 ***