Got you. No, this is not a bug, you can fix your setup by specifying a
different nisDomainName in the NGP HGP template definition. This would
change default nisDomainName for new netgroups. For existing ones you
would need to go and change nisDomainName attribute manually.

You can do both of these operations with ipa-ldap-updater tool.

1. Changing default nisDomainName in the NGP HGP template.

First, check what
nisDomainName value is in the template. Let's assume your domain suffix
is dc=example,dc=com below. I'll replace it with $DOMAINDN in the output
for brevity.

-----
# export DOMAINDN='dc=example,dc=com'
# ldapsearch -H `cat /etc/ipa/default.conf |grep ldap_uri|cut -d' ' -f3` -b "cn=NGP HGP Template,cn=Templates,cn=Managed Entries,cn=etc,$DOMAINDN"
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
# extended LDIF
#
# LDAPv3
# base <cn=NGP HGP Template,cn=Templates,cn=Managed Entries,cn=etc,$DOMAINDN> with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#

# NGP HGP Template, Templates, Managed Entries, etc, example.com
dn: cn=NGP HGP Template,cn=Templates,cn=Managed Entries,cn=etc,$DOMAINDN
objectClass: mepTemplateEntry
objectClass: top
cn: NGP HGP Template
mepRDNAttr: cn
mepStaticAttr: ipaUniqueId: autogenerate
mepStaticAttr: objectclass: ipanisnetgroup
mepStaticAttr: objectclass: ipaobject
mepStaticAttr: nisDomainName: example.com
mepMappedAttr: cn: $cn
mepMappedAttr: memberHost: $dn
mepMappedAttr: description: ipaNetgroup $cn

# search result
search: 3
result: 0 Success

# numResponses: 2
# numEntries: 1
-----

You can see 'mepStaticAttr: nisDomainName: example.com' there. This is
the attribute and the value we should replace.

Now create an update file that replaces nisDomainName with a new one.

-----
# cat 80-change-nisdomainname.update
dn: cn=NGP HGP Template,cn=Templates,cn=Managed Entries,cn=etc,$SUFFIX
replace:mepStaticAttr:nisDomainName: example.com::nisDomainName: newexample.com
-----

In the update file above $SUFFIX is one of variables recognized by
ipa-ldap-updater tool. Read its man page for more details.

Run the tool:

-----
# ipa-ldap-updater ./80-change-nisdomainname.update
Update complete
The ipa-ldap-updater command was successful
-----

Now you can use the same ldapsearch command to verify that nisDomainName
was changed in the template definition.

2. Change nisDomainName in the MEP entries.

Since NGP HGP template uses mepStaticAttr to define nisDomainName
attribute in the MEP entries generated with the help of this template,
you need to change individual entries now. To do so you can gather DNs
of the entries and create an update file that changes all of them in one
go:

-----
# ldapsearch -Q -H `cat /etc/ipa/default.conf |grep ldap_uri|cut -d' ' -f3` \
-b cn=ng,cn=alt,$DOMAINDN \
'(&(nisDomainName=example.com)(objectclass=mepManagedEntry))' -LL dn |\
grep dn: | cut -d: -f2- |\
xargs -n1 printf "dn: %s\nreplace:nisDomainName: example.com::newexample.com\n\n"
-----

The pipeline above looks through entries in cn=ng,cn=alt,$DOMAINDN that
were generated by MEP plugin (objectclass=mepManagedEntry) and has
nisDomainName set to example.com. For these entries their DNs printed
out and their values used to construct two new lines per each output.
This would generate output similar to what I have below:

-----
dn: cn=myhostgroup,cn=ng,cn=alt,dc=xs,dc=example,dc=com
replace:nisDomainName: example.com::myexample.com

-----

If you redirect the output to a file named NN-some-name.update where NN
is between 00 and 90 (this is not documented in the man page, sorry),
then you can supply this file to ipa-ldap-updater similar how we did it
in the step 1.