diff --git a/sssd-1.13.3.tar.gz b/sssd-1.13.3.tar.gz
deleted file mode 100644
index f7cfd38..0000000
--- a/sssd-1.13.3.tar.gz
+++ /dev/null
@@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:3fd8fe8e6ee9f50b33eecd1bcccfaa44791f30d4e5f3113ba91457ba5f411f85
-size 4661143
diff --git a/sssd-1.13.3.tar.gz.asc b/sssd-1.13.3.tar.gz.asc
deleted file mode 100644
index e88c30a..0000000
--- a/sssd-1.13.3.tar.gz.asc
+++ /dev/null
@@ -1,7 +0,0 @@
------BEGIN PGP SIGNATURE-----
-Version: GnuPG v1
-
-iEYEABECAAYFAlZwc5IACgkQHsardTLnvCXyOgCg20lBb2owmQRYRjPZClBcn9+y
-GU4AnR/tg+KqvfA/djm5yoV4/Ys3LA2g
-=zefD
------END PGP SIGNATURE-----
diff --git a/sssd-1.13.4.tar.gz b/sssd-1.13.4.tar.gz
new file mode 100644
index 0000000..8e16ee3
--- /dev/null
+++ b/sssd-1.13.4.tar.gz
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:0a7bba7697088734c5fa1844dbb6de4f1f11afd30df02f0c1dd2579114c0a194
+size 4730392
diff --git a/sssd-1.13.4.tar.gz.asc b/sssd-1.13.4.tar.gz.asc
new file mode 100644
index 0000000..adc22cc
--- /dev/null
+++ b/sssd-1.13.4.tar.gz.asc
@@ -0,0 +1,7 @@
+-----BEGIN PGP SIGNATURE-----
+Version: GnuPG v1
+
+iEYEABECAAYFAlcPWC0ACgkQHsardTLnvCUN0ACfUaD9ymW6zqntaFMG+xYLChRj
+3FUAoItHho7bSsdNziD98BhPQKLPAETj
+=CSMb
+-----END PGP SIGNATURE-----
diff --git a/sssd.changes b/sssd.changes
index 3c8c304..741a3c2 100644
--- a/sssd.changes
+++ b/sssd.changes
@@ -1,3 +1,50 @@
+-------------------------------------------------------------------
+Mon Apr 18 12:24:29 UTC 2016 - hguo@suse.com
+
+- Enable PAC responder.
+  PAC is an extension element returned by domain controller, to speed
+  up resolution of authorisation data such as group memberships.
+
+-------------------------------------------------------------------
+Thu Apr 14 17:20:11 UTC 2016 - michael@stroeder.com
+
+- Update to new upstream release 1.13.4
+  * The IPA sudo provider was reimplemented. The new version reads the
+    data from IPA's LDAP tree (as opposed to the compat tree populated by
+    the slapi-nis plugin that was used previously). The benefit is that
+    deployments which don't require the compat tree for other purposes,
+    such as support for non-SSSD clients can disable those autogenerated
+    LDAP trees to conserve resources that slapi-nis otherwise requires. There
+    should be no visible changes to the end user.
+  * SSSD now has the ability to renew the machine credentials (keytabs)
+    when the ad provider is used. Please note that a recent version of
+    the adcli (0.8 or newer) package is required for this feature to work.
+  * The automatic ID mapping feature was improved so that the administrator
+    is no longer required to manually set the range size in case a RID in
+    the AD domain is larger than the default range size
+  * A potential infinite loop in the NFS ID mapping plugin that was
+    resulting in an excessive memory usage was fixed
+  * Clients that are pinned to a particular AD site using the ad_site
+    option no longer communicate with DCs outside that site during service
+    discovery.
+  * The IPA identity provider is now able to resolve external
+    (typically coming from a trusted AD forest) group members during
+    get-group-information requests. Please note that resolving external
+    group memberships for AD users during the initgroup requests used to
+    work even prior to this update. This feature is mostly useful for cases
+    where an IPA client is using the compat tree to resolve AD trust users.
+  * The IPA ID views feature now works correctly even for deployments
+    without a trust relationship. Previously, the subdomains IPA provider
+    failed to read the views data if no master domain record was created
+    on the IPA server during trust establishment.
+  * A race condition in the client libraries between the SSSD closing
+    the socket as idle and the client application using the socket was
+    fixed. This bug manifested with a Broken Pipe error message on the
+    client.
+  * SSSD is now able to resolve users with the same usernames in different
+    OUs of an AD domain
+  * The smartcard authentication now works properly with gnome-screensaver
+
 -------------------------------------------------------------------
 Wed Feb 10 16:38:37 UTC 2016 - mpluskal@suse.com
 
diff --git a/sssd.spec b/sssd.spec
index 2a41add..1fdbe2a 100644
--- a/sssd.spec
+++ b/sssd.spec
@@ -17,7 +17,7 @@
 
 
 Name:           sssd
-Version:        1.13.3
+Version:        1.13.4
 Release:        0
 Summary:        System Security Services Daemon
 License:        GPL-3.0+ and LGPL-3.0+
@@ -81,6 +81,7 @@ BuildRequires:  pkgconfig(python)
 BuildRequires:  pkgconfig(talloc)
 BuildRequires:  pkgconfig(tdb) >= 1.1.3
 BuildRequires:  pkgconfig(tevent)
+BuildRequires:  pkgconfig(ndr_krb5pac)
 %{?systemd_requires}
 Requires:       sssd-ldap = %version-%release
 Requires(postun): pam-config
@@ -401,7 +402,6 @@ export LDFLAGS="-pie"
     --with-os=suse \
     --with-semanage=no \
     --disable-ldb-version-check \
-    --disable-pac-responder
 
 make %{?_smp_mflags} all
 
@@ -540,6 +540,7 @@ rm -f /var/lib/sss/db/*.ldb
 %dir %_libdir/%name/
 %_libdir/%name/libsss_ad.so
 %dir %_libexecdir/%name/
+%_libexecdir/%name/sssd_pac
 %_libexecdir/%name/gpo_child
 %dir %_datadir/%name/
 %dir %_datadir/%name/sssd.api.d/