diff --git a/.gitignore b/.gitignore
index 3eee980..95af362 100644
--- a/.gitignore
+++ b/.gitignore
@@ -18,3 +18,4 @@
 /freeipa-3.0.0.pre2.tar.gz
 /freeipa-3.0.0.rc1.tar.gz
 /freeipa-3.0.0.rc2.tar.gz
+/freeipa-3.0.0.tar.gz
diff --git a/freeipa.spec b/freeipa.spec
index be0cf95..4278b60 100644
--- a/freeipa.spec
+++ b/freeipa.spec
@@ -11,11 +11,11 @@ distutils.sysconfig import get_python_lib; print(get_python_lib(1))")}
 %endif
 %global POLICYCOREUTILSVER 2.1.12-5
 %global gettext_domain ipa
-%global VERSION 3.0.0.rc2
+%global VERSION 3.0.0
 
 Name:           freeipa
 Version:        3.0.0
-Release:        0.10%{?dist}
+Release:        1%{?dist}
 Summary:        The Identity, Policy and Audit system
 
 Group:          System Environment/Base
@@ -30,7 +30,7 @@ BuildRequires:  svrcore-devel
 BuildRequires:  /usr/share/selinux/devel/Makefile
 BuildRequires:  policycoreutils >= %{POLICYCOREUTILSVER}
 BuildRequires:  systemd-units
-BuildRequires:  samba-devel >= 4.0.0-150
+BuildRequires:  samba-devel >= 4.0.0-153
 BuildRequires:  samba-python
 BuildRequires:  libwbclient-devel
 BuildRequires:  libtalloc-devel
@@ -86,11 +86,12 @@ Requires: %{name}-python = %{version}-%{release}
 Requires: %{name}-client = %{version}-%{release}
 Requires: %{name}-admintools = %{version}-%{release}
 Requires: %{name}-server-selinux = %{version}-%{release}
-Requires(pre): 389-ds-base >= 1.2.11.14-1
+Requires(pre): 389-ds-base >= 1.3.0
 Requires: openldap-clients
 Requires: nss
 Requires: nss-tools
 Requires: krb5-server >= 1.10
+Requires: krb5-server < 1.11
 Requires: krb5-pkinit-openssl
 Requires: cyrus-sasl-gssapi%{?_isa}
 Requires: ntp
@@ -114,7 +115,7 @@ Requires: pki-ca >= pki-ca-10.0.0-0.43.b1
 Requires: pki-silent >= 10.0.0-0.43.b1
 Requires: pki-setup >= 10.0.0-0.43.b1
 # Temporary until dogtag adds their own requires: 09/21/12
-Requires: pki-symkey >= 10.0.0-0.33.a1
+Requires: pki-symkey >= 10.0.0-0.43.a1
 Requires: tomcat >= 7.0.29
 Requires: dogtag-pki-common-theme
 Requires: dogtag-pki-ca-theme
@@ -125,6 +126,7 @@ Requires(preun): python systemd-units
 Requires(postun): python systemd-units
 Requires: python-dns
 Requires: keyutils
+Requires: zip
 
 # We have a soft-requires on bind. It is an optional part of
 # IPA but if it is configured we need a way to require versions
@@ -169,9 +171,16 @@ Group: System Environment/Base
 Requires: %{name}-server = %version-%release
 Requires: python-crypto
 Requires: samba-python
-Requires: samba
+Requires: samba >= 4.0.0-153
 Requires: samba-winbind
 Requires: libsss_idmap
+# We use alternatives to divert winbind_krb5_locator.so plugin to libkrb5
+# on the installs where server-trust-ad subpackage is installed because
+# IPA AD trusts cannot be used at the same time with the locator plugin
+# since Winbindd will be configured in a different mode
+Requires(post): %{_sbindir}/update-alternatives
+Requires(postun): %{_sbindir}/update-alternatives
+Requires(preun): %{_sbindir}/update-alternatives
 
 %description server-trust-ad
 Cross-realm trusts with Active Directory in IPA require working Samba 4 installation.
@@ -184,7 +193,7 @@ Requires(post): %{name}-server = %{version}-%{release}
 Requires(postun): %{name}-server = %{version}-%{release}
 
 # Specific requires
-Requires(pre): 389-ds-base = 1.2.11.15
+Requires(pre): 389-ds-base = 1.3.0
 Requires: krb5-server = 1.10.3
 Requires: pki-ca = 10.0.0
 
@@ -359,6 +368,7 @@ rm %{buildroot}/%{_libdir}/samba/pdb/ipasam.la
 mkdir -p %{buildroot}/%{_sysconfdir}/ipa/html
 mkdir -p %{buildroot}/%{_localstatedir}/cache/ipa/sysrestore
 mkdir -p %{buildroot}/%{_localstatedir}/cache/ipa/sysupgrade
+mkdir -p %{buildroot}/%{_localstatedir}/cache/ipa/pki-ca/publish
 mkdir %{buildroot}%{_usr}/share/ipa/html/
 ln -s ../../../..%{_sysconfdir}/ipa/html/ffconfig.js \
     %{buildroot}%{_usr}/share/ipa/html/ffconfig.js
@@ -401,6 +411,9 @@ install -m 644 init/ipa_memcached.conf %{buildroot}%{_sysconfdir}/sysconfig/ipa_
 mkdir -p %{buildroot}%{_localstatedir}/run/
 install -d -m 0700 %{buildroot}%{_localstatedir}/run/ipa_memcached/
 
+mkdir -p %{buildroot}%{_libdir}/krb5/plugins/libkrb5
+touch %{buildroot}%{_libdir}/krb5/plugins/libkrb5/winbind_krb5_locator.so
+
 mkdir -p %{buildroot}%{_sysconfdir}/tmpfiles.d/
 install -m 0644 init/systemd/ipa.conf.tmpfiles %{buildroot}%{_sysconfdir}/tmpfiles.d/ipa.conf
 %endif
@@ -499,6 +512,22 @@ if [ $? == 0  -a "${SELINUXTYPE}" == targeted -a -f ${FILE_CONTEXT}.%{name} ]; t
        rm -f ${FILE_CONTEXT}.%name
 fi
 fi
+
+%postun server-trust-ad
+if [ "$1" -ge "1" ]; then
+	if [ "`readlink %{_sysconfdir}/alternatives/winbind_krb5_locator.so`" == "/dev/null" ]; then
+		%{_sbindir}/alternatives --set winbind_krb5_locator.so /dev/null
+	fi
+fi
+
+%post server-trust-ad
+%{_sbindir}/update-alternatives --install %{_libdir}/krb5/plugins/libkrb5/winbind_krb5_locator.so \
+				winbind_krb5_locator.so /dev/null 90
+
+%preun server-trust-ad
+if [ $1 -eq 0 ]; then
+	%{_sbindir}/update-alternatives --remove winbind_krb5_locator.so /dev/null
+fi
 %endif
 
 
@@ -556,8 +585,6 @@ fi
 %dir %{_usr}/share/ipa/html
 %{_usr}/share/ipa/html/ffconfig.js
 %{_usr}/share/ipa/html/ffconfig_page.js
-%config(noreplace) %{_sysconfdir}/ipa/html/ffconfig.js
-%config(noreplace) %{_sysconfdir}/ipa/html/ffconfig_page.js
 %{_usr}/share/ipa/html/ssbrowser.html
 %{_usr}/share/ipa/html/browserconfig.html
 %{_usr}/share/ipa/html/unauthorized.html
@@ -586,6 +613,8 @@ fi
 %{_usr}/share/ipa/ui/images/*.gif
 %dir %{_sysconfdir}/ipa
 %dir %{_sysconfdir}/ipa/html
+%config(noreplace) %{_sysconfdir}/ipa/html/ffconfig.js
+%config(noreplace) %{_sysconfdir}/ipa/html/ffconfig_page.js
 %config(noreplace) %{_sysconfdir}/ipa/html/ssbrowser.html
 %config(noreplace) %{_sysconfdir}/ipa/html/ipa_error.css
 %config(noreplace) %{_sysconfdir}/ipa/html/unauthorized.html
@@ -619,6 +648,8 @@ fi
 %dir %{_localstatedir}/lib/ipa
 %attr(700,root,root) %dir %{_localstatedir}/lib/ipa/sysrestore
 %attr(700,root,root) %dir %{_localstatedir}/lib/ipa/sysupgrade
+%attr(755,root,root) %dir %{_localstatedir}/lib/ipa/pki-ca
+%attr(755,root,root) %dir %{_localstatedir}/lib/ipa/pki-ca/publish
 %dir %{_localstatedir}/cache/ipa
 %attr(700,apache,apache) %dir %{_localstatedir}/cache/ipa/sessions
 %attr(755,root,root) %{_libdir}/krb5/plugins/kdb/ipadb.so
@@ -655,6 +686,7 @@ fi
 %{_mandir}/man1/ipa-adtrust-install.1.gz
 %{python_sitelib}/ipaserver/dcerpc*
 %{python_sitelib}/ipaserver/install/adtrustinstance*
+%ghost %{_libdir}/krb5/plugins/libkrb5/winbind_krb5_locator.so
 
 %files server-strict
 %defattr(-,root,root,-)
@@ -709,7 +741,16 @@ fi
 %ghost %attr(0644,root,apache) %config(noreplace) %{_sysconfdir}/ipa/default.conf
 %ghost %attr(0644,root,apache) %config(noreplace) %{_sysconfdir}/ipa/ca.crt
 
-%changelog
+* Fri Oct 12 2012 Rob Crittenden <rcritten@redhat.com> - 3.0.0-1
+- Updated to upstream 3.0.0 GA
+- Set minimum for samba to 4.0.0-153.
+- Make sure server-trust-ad subpackage alternates winbind_krb5_locator.so
+  plugin to /dev/null since they cannot be used when trusts are configured
+- Restrict krb5-server to 1.10.
+- Update BR for 389-ds-base to 1.3.0
+- Add directory /var/lib/ipa/pki-ca/publish for CRL published by pki-ca
+- Add Requires on zip for generating FF browser extension
+
 * Fri Oct  5 2012 Rob Crittenden <rcritten@redhat.com> - 3.0.0-0.10
 - Updated to upstream 3.0.0 rc 2
 - Include new FF configuration extension
diff --git a/sources b/sources
index 201f702..aaa6393 100644
--- a/sources
+++ b/sources
@@ -1 +1 @@
-59038fa8371d2a0163e52fdd0daaf73e  freeipa-3.0.0.rc2.tar.gz
+d80d320f13fa5944eda5112b085cfb51  freeipa-3.0.0.tar.gz