diff --git a/config/krb5conf.go b/config/krb5conf.go
index 916de62b..4fca176f 100644
--- a/config/krb5conf.go
+++ b/config/krb5conf.go
@@ -472,25 +472,25 @@ func NewConfigFromScanner(scanner *bufio.Scanner) (*Config, error) {
 	var lines []string
 	for scanner.Scan() {
 		// Skip comments and blank lines
-		if matched, _ := regexp.MatchString(`\s*(#|;|\n)`, scanner.Text()); matched {
+		if matched, _ := regexp.MatchString(`^\s*(#|;|\n)`, scanner.Text()); matched {
 			continue
 		}
-		if matched, _ := regexp.MatchString(`\s*\[libdefaults\]\s*`, scanner.Text()); matched {
+		if matched, _ := regexp.MatchString(`^\s*\[libdefaults\]\s*`, scanner.Text()); matched {
 			sections[len(lines)] = "libdefaults"
 			sectionLineNum = append(sectionLineNum, len(lines))
 			continue
 		}
-		if matched, _ := regexp.MatchString(`\s*\[realms\]\s*`, scanner.Text()); matched {
+		if matched, _ := regexp.MatchString(`^\s*\[realms\]\s*`, scanner.Text()); matched {
 			sections[len(lines)] = "realms"
 			sectionLineNum = append(sectionLineNum, len(lines))
 			continue
 		}
-		if matched, _ := regexp.MatchString(`\s*\[domain_realm\]\s*`, scanner.Text()); matched {
+		if matched, _ := regexp.MatchString(`^\s*\[domain_realm\]\s*`, scanner.Text()); matched {
 			sections[len(lines)] = "domain_realm"
 			sectionLineNum = append(sectionLineNum, len(lines))
 			continue
 		}
-		if matched, _ := regexp.MatchString(`\s*\[.*\]\s*`, scanner.Text()); matched {
+		if matched, _ := regexp.MatchString(`^\s*\[.*\]\s*`, scanner.Text()); matched {
 			sections[len(lines)] = "unknown_section"
 			sectionLineNum = append(sectionLineNum, len(lines))
 			continue
diff --git a/config/krb5conf_test.go b/config/krb5conf_test.go
index f594adbd..854b7e69 100644
--- a/config/krb5conf_test.go
+++ b/config/krb5conf_test.go
@@ -48,6 +48,7 @@ const (
         kdc = kerberos.example.com
         kdc = kerberos-1.example.com
         admin_server = kerberos.example.com
+        auth_to_local = RULE:[1:$1@$0](.*@EXAMPLE.COM)s/.*//
  }