diff --git a/.gitignore b/.gitignore
index 7c2760e..0436ce1 100644
--- a/.gitignore
+++ b/.gitignore
@@ -15,3 +15,4 @@
 /authselect-1.2.2.tar.gz
 /authselect-1.2.3.tar.gz
 /authselect-1.2.4.tar.gz
+/authselect-1.3.0.tar.gz
diff --git a/authselect.spec b/authselect.spec
index 23c694f..81d4e2a 100644
--- a/authselect.spec
+++ b/authselect.spec
@@ -2,8 +2,8 @@
 %define _empty_manifest_terminate_build 0
 
 Name:           authselect
-Version:        1.2.4
-Release:        2%{?dist}
+Version:        1.3.0
+Release:        1%{?dist}
 Summary:        Configures authentication and identity sources from supported profiles
 URL:            https://github.com/authselect/authselect
 
@@ -12,6 +12,24 @@ Source0:        %{url}/archive/%{version}/%{name}-%{version}.tar.gz
 
 %global makedir %{_builddir}/%{name}-%{version}
 
+%if 0%{?fedora} >= 35 || 0%{?rhel} >= 10
+%global with_compat 0
+%else
+%global with_compat 1
+%endif
+
+%if 0%{?fedora} >= 36 || 0%{?rhel} >= 10
+%global with_user_nsswitch 0
+%global enforce_authselect 1
+%else
+%global with_user_nsswitch 1
+%global enforce_authselect 0
+%endif
+
+# Set the default profile
+%{?fedora:%global default_profile sssd with-silent-lastlog}
+%{?rhel:%global default_profile sssd}
+
 BuildRequires:  autoconf
 BuildRequires:  automake
 BuildRequires:  findutils
@@ -25,16 +43,21 @@ BuildRequires:  po4a
 BuildRequires:  %{_bindir}/a2x
 BuildRequires:  libcmocka-devel >= 1.0.0
 BuildRequires:  libselinux-devel
+%if %{with_compat}
+BuildRequires: python3-devel
+%endif
 Requires: authselect-libs%{?_isa} = %{version}-%{release}
 Suggests: sssd
 Suggests: samba-winbind
 Suggests: fprintd-pam
 Suggests: oddjob-mkhomedir
 
+%if !%{with_compat}
 # Properly obsolete removed authselect-compat package.
 Obsoletes: authselect-compat < 1.2.4
 # Inherited from former authselect-compat package.
 Obsoletes: authconfig < 7.0.1-6
+%endif
 
 %description
 Authselect is designed to be a replacement for authconfig but it takes
@@ -54,7 +77,14 @@ Requires: gawk
 Requires: grep
 Requires: sed
 Requires: systemd
-Requires: pam >= 1.3.1-23
+%if %{enforce_authselect}
+# authselect now owns nsswitch.conf (glibc) and pam files
+Conflicts: pam < 1.5.2-8
+Conflicts: glibc < 2.34.9000-27
+# systemd, nss-mdns no longer contains nsswitch.conf scriptlets
+Conflicts: systemd < 249.7-4
+Conflicts: nss-mdns < 0.15.1-3
+%endif
 
 %description libs
 Common library files for authselect. This package is used by the authselect
@@ -68,6 +98,24 @@ Requires: authselect-libs%{?_isa} = %{version}-%{release}
 System header files and development libraries for authselect. Useful if
 you develop a front-end for the authselect library.
 
+%if %{with_compat}
+%package compat
+Summary: Tool to provide minimum backwards compatibility with authconfig
+Obsoletes: authconfig < 7.0.1-6
+Provides: authconfig
+Requires: authselect%{?_isa} = %{version}-%{release}
+Recommends: oddjob-mkhomedir
+Suggests: sssd
+Suggests: realmd
+Suggests: samba-winbind
+
+%description compat
+This package will replace %{_sbindir}/authconfig with a tool that will
+translate some of the authconfig calls into authselect calls. It provides
+only minimum backward compatibility and users are encouraged to migrate
+to authselect completely.
+%endif
+
 
 %prep
 %setup -q
@@ -78,7 +126,16 @@ done
 
 %build
 autoreconf -if
-%configure --with-pythonbin="%{__python3}"
+%configure \
+%if %{with_compat}
+    --with-pythonbin="%{__python3}" \
+    --with-compat \
+%endif
+%if %{with_user_nsswitch}
+    --with-user-nsswitch \
+%endif
+    %{nil}
+
 %make_build
 
 %check
@@ -114,7 +171,17 @@ find $RPM_BUILD_ROOT -name "*.a" -exec %__rm -f {} \;
 %ghost %attr(0644,root,root) %{_sysconfdir}/authselect/postlogin
 %ghost %attr(0644,root,root) %{_sysconfdir}/authselect/smartcard-auth
 %ghost %attr(0644,root,root) %{_sysconfdir}/authselect/system-auth
+%if %{enforce_authselect}
+%ghost %attr(0644,root,root) %{_sysconfdir}/nsswitch.conf
+%ghost %attr(0644,root,root) %{_sysconfdir}/pam.d/fingerprint-auth
+%ghost %attr(0644,root,root) %{_sysconfdir}/pam.d/password-auth
+%ghost %attr(0644,root,root) %{_sysconfdir}/pam.d/postlogin
+%ghost %attr(0644,root,root) %{_sysconfdir}/pam.d/smartcard-auth
+%ghost %attr(0644,root,root) %{_sysconfdir}/pam.d/system-auth
+%endif
+%if %{with_user_nsswitch}
 %ghost %attr(0644,root,root) %{_sysconfdir}/authselect/user-nsswitch.conf
+%endif
 %dir %{_localstatedir}/lib/authselect
 %ghost %attr(0755,root,root) %{_localstatedir}/lib/authselect/backups/
 %ghost %attr(0644,root,root) %{_localstatedir}/lib/authselect/dconf-db
@@ -185,13 +252,19 @@ find $RPM_BUILD_ROOT -name "*.a" -exec %__rm -f {} \;
 %{_libdir}/libauthselect.so
 %{_libdir}/pkgconfig/authselect.pc
 
+%if %{with_compat}
+%files compat
+%{_sbindir}/authconfig
+%{python3_sitelib}/authselect/
+%endif
+
 %files  -f %{name}.8.lang  -f %{name}-migration.7.lang
 %{_bindir}/authselect
 %{_mandir}/man8/authselect.8*
 %{_mandir}/man7/authselect-migration.7*
 %{_sysconfdir}/bash_completion.d/authselect-completion.sh
 
-%global validfile %{_localstatedir}/lib/rpm-state/%{name}.config-valid
+%global forcefile %{_localstatedir}/lib/rpm-state/%{name}.force
 
 %preun
 if [ $1 == 0 ] ; then
@@ -203,72 +276,67 @@ if [ $1 == 0 ] ; then
 fi
 
 %pre libs
-%__rm -f %{validfile}
+%if %{enforce_authselect}
+# Check if this is a new installation.
+%__rm -f %{forcefile}
+if [ $1 -eq 1 ] ; then
+    touch %{forcefile}
+fi
+
+# Check if we are upgrading from older version then authselect-1.3.0
+# The version command is not available on earlier versions
 if [ $1 -gt 1 ] ; then
-    # Remember if the current configuration is valid
     %{_bindir}/authselect check &> /dev/null
-    if [ $? -eq 0 ]; then
-        touch %{validfile}
+    if [ $? -ne 0 ]; then
+        %{_bindir}/authselect version &> /dev/null
+        if [ $? -ne 0 ]; then
+            touch %{forcefile}
+        fi
     fi
 fi
+%endif
 
 exit 0
 
 %posttrans libs
 # Copy nsswitch.conf to user-nsswitch.conf if it was not yet created
+%if %{with_user_nsswitch}
 if [ ! -f %{_localstatedir}/lib/authselect/user-nsswitch-created ]; then
     %__cp -n %{_sysconfdir}/nsswitch.conf %{_sysconfdir}/authselect/user-nsswitch.conf &> /dev/null
     touch %{_localstatedir}/lib/authselect/user-nsswitch-created &> /dev/null
-
-    # If we are upgrading from older version, we want to remove these comments.
-    %__sed -i '/^# Generated by authselect on .*$/{$!{
-      N;N # Read also next two lines
-      /# Generated by authselect on .*\n# Do not modify this file manually.\n/d
-    }}' %{_sysconfdir}/authselect/user-nsswitch.conf &> /dev/null
 fi
+%endif
 
-# If the configuration is valid and we are upgrading from older version
-# we need to create these files since they were added in 1.0.
-if [ -f %{validfile} ]; then
-    FILES="nsswitch.conf system-auth password-auth fingerprint-auth \
-           smartcard-auth postlogin dconf-db dconf-locks"
-
-    for FILE in $FILES ; do
-        %__cp -n %{_sysconfdir}/authselect/$FILE \
-               %{_localstatedir}/lib/authselect/$FILE &> /dev/null
-    done
-
-    %__rm -f %{validfile}
-fi
-
-# Add nss-altfiles if we are on Silverblue
-if %__grep -i silverblue /etc/os-release &> /dev/null; then
+# Keep nss-altfiles for all rpm-ostree based systems.
+# See https://github.com/authselect/authselect/issues/48
+if %__grep "OSTREE_VERSION=" /etc/os-release &> /dev/null; then
     for PROFILE in `ls %{_datadir}/authselect/default`; do
         %{_bindir}/authselect create-profile $PROFILE --vendor --base-on $PROFILE --symlink-pam --symlink-dconf --symlink=REQUIREMENTS --symlink=README &> /dev/null
+%if %{with_user_nsswitch}
         %__sed -ie "s/^\(passwd\|group\):\(.*\)systemd\(.*\)/\1:\2systemd altfiles\3/g" %{_datadir}/authselect/vendor/$PROFILE/nsswitch.conf &> /dev/null
+%else
+        %__sed -ie 's/{if "with-altfiles":altfiles }/altfiles /g' %{_datadir}/authselect/vendor/$PROFILE/nsswitch.conf &> /dev/null
+%endif
     done
 fi
 
+# If we are upgrading from pre authselect-1.3.0 or this is a new installation
+# select the default configuration.
+if [ -f %{forcefile} ]; then
+    %{_bindir}/authselect select %{default_profile} --force &> /dev/null
+    %__rm -f %{forcefile}
+fi
+
 # Apply any changes to profiles (validates configuration first internally)
 %{_bindir}/authselect apply-changes &> /dev/null
 
-# Enable with-sudo feature if sssd-sudo responder is enabled. RHBZ#1582111
-CURRENT=`%{_bindir}/authselect current --raw 2> /dev/null`
-if [ $? -eq 0 ]; then
-    PROFILE=`echo $CURRENT | %__awk '{print $1;}'`
-
-    if [ $PROFILE == "sssd" ] ; then
-        if %__grep -E "services[[:blank:]]*=[[:blank:]]*.*sudo" /etc/sssd/sssd.conf &> /dev/null ; then
-            %{_bindir}/authselect enable-feature with-sudo &> /dev/null
-        elif systemctl is-active sssd-sudo.service sssd-sudo.socket --quiet || systemctl is-enabled sssd-sudo.socket --quiet ; then
-            %{_bindir}/authselect enable-feature with-sudo &> /dev/null
-        fi
-    fi
-fi
-
 exit 0
 
 %changelog
+* Mon Dec 6 2021 Pavel Březina <pbrezina@redhat.com> - 1.3.0-1
+- Rebase to 1.3.0
+- Authselect configuration is now enforced (#2000936)
+
 * Sat Aug 14 2021 Björn Esser <besser82@fedoraproject.org> - 1.2.4-2
 - Add proper Obsoletes for removed authselect-compat package
   Fixes: rhbz#1993189
diff --git a/sources b/sources
index 7e5a1ef..b533281 100644
--- a/sources
+++ b/sources
@@ -1 +1 @@
-SHA512 (authselect-1.2.4.tar.gz) = a1a049e6bc8c6e3a41de4ed115d6357edd01f5d4838c6d651b21b7b2f1002b1211a52bb29a00c56c8b33eabbc2ffcf98de093b747066d031098ec90b8d5e7e1f
+SHA512 (authselect-1.3.0.tar.gz) = bebccbd0a3a189812c1e2dc85ab4e4514f56f99728b4c4214862b850ddf259918d7e0ee00acd538045d2a71149b761176ecd2d4744a6ff3f19bccda57445351d