--- a/source3/utils/ntlm_auth.c	2018-02-02 17:10:25.884991051 +0300
+++ b/source3/utils/ntlm_auth.c	2018-02-05 10:15:19.727353118 +0300
@@ -172,6 +172,7 @@
 static int use_cached_creds;
 static int offline_logon;
 static int opt_allow_mschapv2;
+static int use_kv_format;
 
 static const char *require_membership_of;
 static const char *require_membership_of_sid;
@@ -1561,9 +1562,17 @@
 			reply_arg = nt_errstr(nt_status);
 			DEBUG(1, ("GENSEC failed to retrieve the session info: %s\n", nt_errstr(nt_status)));
 		} else {
-
-			reply_code = "AF";
-			reply_arg = talloc_strdup(state->gensec_state, session_info->unix_info->unix_name);
+                        // The interface for all helpers has been extended to support arbitrary lists of key=value pairs, with the syntax  key=value.
+                        // For responses, the safe way is to either URL-escape, or to enclose the value in double_quotes ("); 
+                        if (use_kv_format) {
+                            reply_code = "OK"; // AF is deprecated by OK
+                            char* username = rfc1738_escape(NULL, session_info->unix_info->unix_name);
+                            reply_arg = talloc_asprintf(state->gensec_state, "user=%s", username);
+                            talloc_free(username);
+			} else {
+                            reply_code = "AF";
+                            reply_arg = talloc_strdup(state->gensec_state, session_info->unix_info->unix_name);
+                        }
 			if (reply_arg == NULL) {
 				reply_code = "BH out of memory";
 				reply_arg = nt_errstr(NT_STATUS_NO_MEMORY);
@@ -2252,7 +2261,8 @@
 	OPT_PAM_WINBIND_CONF,
 	OPT_TARGET_SERVICE,
 	OPT_TARGET_HOSTNAME,
-	OPT_OFFLINE_LOGON
+	OPT_OFFLINE_LOGON,
+        OPT_USE_KV_FORMAT
 };
 
  int main(int argc, const char **argv)
@@ -2300,6 +2310,7 @@
 		{ "pam-winbind-conf", 0, POPT_ARG_STRING, &opt_pam_winbind_conf, OPT_PAM_WINBIND_CONF, "Require that request must set WBFLAG_PAM_CONTACT_TRUSTDOM when krb5 auth is required" },
 		{ "target-service", 0, POPT_ARG_STRING, &opt_target_service, OPT_TARGET_SERVICE, "Target service (eg http)" },
 		{ "target-hostname", 0, POPT_ARG_STRING, &opt_target_hostname, OPT_TARGET_HOSTNAME, "Target hostname" },
+		{ "use-kv-format", 0, POPT_ARG_NONE, &use_kv_format, OPT_USE_KV_FORMAT, "Use key-value format on reply"},
 		POPT_COMMON_CONFIGFILE
 		POPT_COMMON_VERSION
 		POPT_COMMON_OPTION