IPA: Improve DEBUG message if a group has no ipaNTSecurityIdentifier
    
    There was an issue in a production deployment where the admin selected a
    GID outside the IDM range for a group that contained a user from the
    trusted domain. This resulted in not adding a SID for the IPA group,
    which in turn meant the group couldn't be resolved on the client.
    
    This patch just improves the DEBUG message so that it's clearer for the
    admins where the issue is.
    
    Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>