failed idmap uid-to-sid lookups need (negative) caching
There are situations such where the CIFS server may repeatedly ask idmap for the SID for some Unix UID or GID, where idmap can not find a SID. One example is the SMB "NT Transact" sub-command NT_TRANSACT_QUERY_QUOTA. For this call, the SMB server does the equivalent of a "zfs userspace" command and then converts the returned quota information from UIDs to SIDs. These conversions may encounter UIDs for users that are not currently logged on, and for which idmap may not be able to find a Windows SID. These operations can happen so frequently that idmap gets swamped with these failed lookups.
One simple improvement to remedy this problem would be to have idmap cache all failed UID-to-SID lookups, at least for a short time. Such "negative" cache elements would need to be explicitly replaced when SID-to-UID mappings are created for the same UID.
The same issue exists for GID-to-SID and SID-to-GID mappings.