[Freeipa-users] MAKE Freeipa replica not work now

Hi all: 9444 port can be telnet ...Any idea ? the log show below as I don't have more idea... If I plan to migrate to same version of server what I have to copy ? as I saw step of migration also similar to replica so now stuck on the steps. Any Manual copy steps ? as I copy and paste the LDAP of

[Freeipa-users] any idea this error ? relate to memory?

8443 port already firewall open but still fail..1G memory only in web hosting..free 600 M still 2017-03-15T01:36:47Z DEBUG The ipa-server-install command failed, exception: NetworkError: cannot connect to ' https://centralaws.ABC.com:8443/ca/rest/account/login': Could not connect to

[Freeipa-users] install freeipa amazon Linux

Hi: anyone has exp install freeipa in amazon linx base on fredora? I tried install repo myself but it fail only say no such freeipa which repo ishould use ...I already tried many difference source still fail. it seem it has its own amaz limux repo. thks barry -- Manage your subscription for

[Freeipa-users] Create Replica fail any idea?? thz

No expire cer prompt out ., All service ipa status oK. and 9444 port can telent Creating SSL certificate for the Directory Server preparation of replica failed: cannot connect to ' https://central.ABC.com:9444/ca/ee/ca/profileSubmitSSLClient': (PR_END_OF_FILE_ERROR) Encountered end of file.

[Freeipa-users] Replica fail to create , all new cert already inside

Hi: I already done input new cert but ipa-replica-prepare central03.ABC.com (ipa 3.0) it fail with the error as below: which "location" I should check the old cert still inside some where Below I already input CA / server cert ..and nssdb poting is right ..already spent serveral days to check

Re: [Freeipa-users] Make Gpg replica fail , where cert store I should update new ?

I think I already input all ca cert and server cert certutil -d /etc/dirsrv/slapd-PKI-IPA/ -L Trust Attributes SSL,S/MIME,JAR/XPI *.wisers.com < it is the server wild card cert already EXT-CA

Re: [Freeipa-users] Make Gpg replica fail , where cert store I should update new ?

same as as replica gpg making....Found this cert 2015 expired only,,? but I follow manual here: https://www.freeipa.org/page/Using_3rd_part_certificates_ for_HTTP/LDAP#Procedure_in_IPA_.3C_4.1 It imported as EXT-CA as Alias rather than sever cert by default...Is there anywhere pointing wrong

[Freeipa-users] make a new server and migrate old data

Hi: I have freeipa 3.0 server ...and want to make a new server ignore any cert related. eg I clean install a server using default free ipa server cert ..and copy dirsrv data to new. can I just copy /etc/dirsrv scheme..username /passwords and groups ? Also if I copy these to 4.0 server any

[Freeipa-users] Make Gpg replica fail , where cert store I should update new ?

gpg Creating SSL certificate for the Directory Server ipa : ERRORcert validation failed for "CN=central.ABC.com,O= ABC.COM" ((SEC_ERROR_EXPIRED_CERTIFICATE) Peer's Certificate has expired.) preparation of replica failed: cannot connect to '

[Freeipa-users] where is the CA cert located ?

Hi : I already follow the procedure to install new CA and add ca.crt to the library I known ...where still missed ? ABC-COM...[28/Jun/2016:15:45:53 +0800] - SSL alert: CERT_VerifyCertificateNow: verify certificate failed for cert *.ABC.com of family cn=RSA,cn=encryption,cn=config (Netscape

[Freeipa-users] Where should the CA Location

Hi : I renew External CA cert below ...seem server-cert ok. But ca CERT FAIL.. I ALREADY PASTE ON /etc/httpd/alias /etc/dirsrv/slapd-PKI-IPA /etc/dirsv/slapd-ABX-com /var/lib/pki-ca/alias 's CA conf any idea? ABX-COM...[23/Jun/2016:10:42:32 +0800] - SSL alert: CERT_VerifyCertificateNow:

Re: [Freeipa-users] Ipa replica cannot gen as cert expire which folder I should replace new cert???

externaly signed CA - Godaddy Exppired. Already add new to db /etc/https/alias / -L and config nickname map in /etc/http/config.d/nss.conf Already Import to /etc/slapd/PKI-IPA ...where nickname I should point to? Alreasy change /etc/dirsrv/slapd-ABC-COM and nickname map in dse.ldif Start stop

[Freeipa-users] Ipa replica cannot gen as cert expire which folder I should replace new cert???

hi all: Thx ad title ipa : ERRORcert validation failed for "CN=server.abc.com,O=WISER S.COM" ((SEC_ERROR_EXPIRED_CERTIFICATE) Peer's Certificate has expired.) preparation of replica failed: cannot connect to 'https://server.ABC.com:944 4/ca/ee/ca/profileSubmitSSLClient':

[Freeipa-users] Renewal of new cert concept

Hi: As stated in the guidline online.../root/ipa.crt is the server cert generated by 3rd patry CA ? or the CA cert itself that need to pair with server cert later. thx Give the CSR to your external CA and have them issue you a new certificate. We assume that the resulting certificate is saved

Re: [Freeipa-users] want to make new replicas but cert expire

Already change a new cert no.errror prompt when start server. But using ipa-replica install.same error out. So.i.should miss some.folder not yet replace. 2016年5月19日 上午2:01 於 "Rob Crittenden" 寫道： > barry...@gmail.com wrote: > >> Hi: >> >> I type ipa-replica-install server

[Freeipa-users] want to make new replicas but cert expire

Hi: I type ipa-replica-install server --ip 192.168.1.3 it show my cert expire nwhere location I should input the cert ? trusted by the user.) preparation of replica failed: cannot connect to 'https://ipa.cora.nwra.com:9444/ca/ee/ca/profileSubmitSSLClient': [Errno -8172]

[Freeipa-users] Renable 7389 port on multimaster

Hi : 2 servers configured as multi master nut one of them cannot telnet 7389 how can I check and renable it ? Server cannot telnet 7389 should I reinstall CA service ...is it rerelated ? Directory Service: RUNNING KDC Service: RUNNING KPASSWD Service: RUNNING MEMCACHE Service: RUNNING

[Freeipa-users] revise back cert of freeipa

Hi : Before I use goddy cert and everything workfine for a year now the cert expired. and break the muial agreement .whatever command I type it shown cant contact ldap server. can I just fall back the ipa self sign cert if I have backup? pls advise the detail procedure Regards. Barry --

Re: [Freeipa-users] Restore form backup , start servrer will error but sucess

So now how can i restore the normal status. Can i export those acc out and restore to new server if same schema.? Manual backup restore i test before should work. 2016年5月10日 下午8:16 於 "Martin Basti" 寫道： > There is no ipa-restore or ipa-backup commands even on RHEL6.7,

[Freeipa-users] Restore form backup , start servrer will error but sucess

Hi: Restore form backup follow the procedure below: http://www.freeipa.org/page/V3/Backup_and_Restore Now server web page launch but canot access Sorry you are not allowed to access this service. Starting dirsrv: PKI-IPA... [ OK ]

[Freeipa-users] Upgrade to new IPA

Hi all: I m using freeipa 3.0 ...is there a fast way to export username / password and migrate to new 4.0 server not inplace upgrade .? Regards Barry -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org

Re: [Freeipa-users] server 1 and server 2 cannot replicate now may be ssl cert expire

Just wonder the freeipa package will have bugs if os too.old. 2016年5月10日 下午3:09 於 "Lukas Slebodnik" 寫道： > On (10/05/16 08:19), barry...@gmail.com wrote: > >Do u meant the error related to OS? > I mean that there are known bugs in FreeIPA components. > 389-ds, sssd >

Re: [Freeipa-users] server 1 and server 2 cannot replicate now may be ssl cert expire

Do u meant the error related to OS? 2016年5月9日 下午7:17 於 "Lukas Slebodnik" 寫道： > On (09/05/16 12:14), Barry wrote: > > Hello Barry, > > > >Can you provide more info? > > > >What is your IPA version, OS? > > > >CENTOS 6.5 > > > Please upgrade to latest CentOS 6.7 >

Re: [Freeipa-users] server 1 and server 2 cannot replicate now may be ssl cert expire

Hello Barry, Can you provide more info? What is your IPA version, OS? CENTOS 6.5 server1 - ipa-server-3.0.0-47.el6.centos.2.x86_64 server 2 - ipa-server-3.0.0-37.el6.x86_64 What are the symptoms you are experiencing? server1 's update not transfer to server 2 but server 2 can transfer to

[Freeipa-users] Restore form full backup but some warns/error ok , BUT WORK OK service

Hi All: I restore from backup but some lib / pki error come. As the package is ipa-server-3.0.0-26.el6_4.4.x86_64 But now is ipa-server-3.0.0-47.el6.centos.2.x86_64 , it seem no harm ? How to tune it ? Starting KDC Service Starting Kerberos 5 KDC: [ OK

[Freeipa-users] Lost master 1 with CA service

Hi all: I got master 1have ca and server 2 replicatiomng . Now master 1 fail all lost. Can i skip.it just make server 3 repliacted slaved or must recovered master 1. Regards -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go

Re: [Freeipa-users] Inplace upgrade

U meant it fail start if update minor version only? 2016年5月4日 下午7:25 於 "Lukas Slebodnik" 寫道： > On (04/05/16 13:17), barry...@gmail.com wrote: > >Can speicific ninor version? > Yes you can > > yum update ipa-server-3.0.0-37.el6.x86_64 > > However, it can fail if this version

[Freeipa-users] Fail to Start up the server

Hi: Before the server can start up if i disable nasslsecuiry in dse.ldif. But now after I update to minor version from -3.0.0-26 to ipa-server-3.0.0-47.el6.centos.2.x86_64 , it not allow me to start any idea . I think it not relate to ssl cert issue. [04/May/2016:17:32:52 +0800] - SSL alert:

Re: [Freeipa-users] Inplace upgrade

Can speicific ninor version? 2016年5月4日 下午1:15 於 "Devin Acosta" 寫道： > Barry, > > Yes you should be able to just do a: "yum update ipa-server" and you > should be good to go. > > > -- > Devin Acosta, RHCE, LFCE > Linux Certified Engineer > e: de...@linuxguru.co > > > On May

[Freeipa-users] Inplace upgrade

Hi : How to in place upgrade ipa-server-3.0.0-26.el6_4.4.x86_64 to ipa-server-3.0.0-37.el6.x86_64 This is minor version upgrade , can it just type update command? Regards Barry -- Manage your subscription for the Freeipa-users mailing list:

Re: [Freeipa-users] server 1 and server 2 cannot replicate now may be ssl cert expire

server 1: ipa-server-3.0.0-26.el6_4.4.x86_64 server2 ipa-server-3.0.0-37.el6.x86_64 2016-04-30 1:10 GMT+08:00 : > > ipa-server-3.0.0-37.el6.x86_64 << here > > 2016-04-29 19:36 GMT+08:00 Martin Basti : > >> Please keep, user-list in CC >> >> You did not

Re: [Freeipa-users] server 1 and server 2 cannot replicate now may be ssl cert expire

ipa-server-3.0.0-37.el6.x86_64 << here 2016-04-29 19:36 GMT+08:00 Martin Basti : > Please keep, user-list in CC > > You did not send all information I requested. > > Please use `rpm -ql ipa-server` to get exact version number > > > On 29.04.2016 13:32, barry...@gmail.com

[Freeipa-users] server 1 and server 2 cannot replicate now may be ssl cert expire

Hi All: Any method can fall back the default ipa cert if I didn't backup orginal? Now the slapd and ipa cert storage quite a mess so they cant replicate even disabled nsslapd:security to off thx Barry -- Manage your subscription for the Freeipa-users mailing list:

Re: [Freeipa-users] can live turn off nsslapd-security: to off ?

thx let me try as i dont want stop dirsrv but live disable nsslapd security. 2016年4月27日 下午7:26 於 "David Kupka" 寫道： > On 27/04/16 13:15, barry...@gmail.com wrote: > >> Do u meant use ldapmodify? >> I tried update the dse.ldif but it will fall back after a while. >> >>

Re: [Freeipa-users] can live turn off nsslapd-security: to off ?

Do u meant use ldapmodify? I tried update the dse.ldif but it will fall back after a while. 2016年4月27日 下午7:10 於 "David Kupka" 寫道： > On 27/04/16 12:48, barry...@gmail.com wrote: > >> Hi: >> >> Without restarting dirsrv possible do that ? >> >> >> thx Regards >> >> barry >> >>

[Freeipa-users] can live turn off nsslapd-security: to off ?

Hi: Without restarting dirsrv possible do that ? thx Regards barry -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] server 1 cannot syn update to server 2 after restart

server 2 can syn update to server 1 but reverse fail Any idea? error below: Can't contact LDAP server [26/Apr/2016:18:40:13 +0800] - Skipping CoS Definition cn=Password Policy,cn=accounts,dc=ABC,dc=com--no CoS Templates found, which should be added before the CoS Definition.

[Freeipa-users] Differential data on cluster syn back to server1

Hi: I have 2 servers clusters replicating ...server1 down server2 take up role running, if server 1 turn on again I found the differential ac/data created on server2 not replicate back to server 1 ...any idea ? Is it possible to syn back the different data manually or force syn? if both servers

[Freeipa-users] 2 servers replicatong if onefail_how_made itreplicate the differential?

Tried.noramlly it replicationg but if one fail and still add new users. The recovered server not syn back. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project

[Freeipa-users] error after change cert

hi: i changed cert lareadty but seemit still keep hisoty of godadday any help.?? www-COM...[06/Jul/2015:19:59:15 +0800] - SSL alert: Security Initialization: Can't find certificate (*.wwwcom - GoDaddy.com, Inc.) for family cn=RSA,cn=encryption,cn=config (Netscape Portable Runtime error -8174 -

Re: [Freeipa-users] error after change cert

the cert already in httpd / ldap side. but it prompt error [06/Jul/2015:19:59:16 +0800] - SSL failure: None of the cipher are valid [06/Jul/2015:19:59:16 +0800] - ERROR: SSL Initialization phase 2 Failed. *.wisers.com - COMODO CA Limited u,u,u COMODO RSA Domain

Re: [Freeipa-users] error after change cert

Do u meant this : i already add the cert to nss and even \etc\ipa\ ca.cert repalced [root@(LIVE) slapd-Wwww-COM]$ certutil -d /etc/pki/nssdb -L Certificate Nickname Trust Attributes SSL,S/MIME,JAR/XPI COMODO RSA Domain Validation Secure Server CA

Re: [Freeipa-users] error after change cert

any command make it refresh ? it seem still getiing old godaddy hisotry? 2015-07-06 21:45 GMT+08:00 barry...@gmail.com: Do u meant this : i already add the cert to nss and even \etc\ipa\ ca.cert repalced [root@(LIVE) slapd-Wwww-COM]$ certutil -d /etc/pki/nssdb -L Certificate Nickname

[Freeipa-users] what error log i should check

server 1 ipa-replica-manage list Segmentation fault (core dumped) server 2 ipa-replica-manage list Can't contact LDAP server but it seem still syn as i add new ac then server 2 have i delete server2 's anme server 1 still delte. -- Manage your subscription for the Freeipa-users mailing list:

[Freeipa-users] free ipa cluster replication features

hi aLL; i have 2 free ipa in same cluster. if a node1 fail stop... i found the connection of their replciation stop after nod1 fail. now i directly input to the node 2 new accounts , will these new accounts syn back when node 1 start up again.? my issue is that it seem no. Regards Barry --

[Freeipa-users] Max life set 0 already but still promot admin rese tpassword every 3 months

Hi: i set max life no expiry already but still pomt reset password every 3 month any idea to disable it ??? what happening Regards -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the

[Freeipa-users] dirsrv access log redirect

Dear all: I got 2 servers as cluster ... how can i redirect all logs server2 's /var/log/dirsrv/slapd-abc.com/access to server 1 's /var/log/dirsrv/ slapd-abc.com/access so i can view once ?what config should consider ? Or should i use syslog to collect server2 and redirect all to server 1 ?

[Freeipa-users] check access log of when a user login integrated system

Hi all: I have a buzilla intgrated with ldap ,,,is it poosible to check when the user login through the access log of ldap free ipa server .. What sentence should it look like ? thks barry -- Manage your subscription for the Freeipa-users mailing list:

[Freeipa-users] Possible to extract password of ldap

Hi : Is it possible to read clear text of password of ipa users by admin ? I m facing the issue of half rollout as half vol.of users changed password already. And if i deploy and reset all password then it may make issue for this half and we dont have records which user password sent . --

[Freeipa-users] Del private group fail even using command

Hi: I follow command found from here and want to del priate group but fail any idea? It said line 5 attribute error , any synta xwrong? ldapsearch -LLL -Y GSSAPI cn=barry ldapmodify -Y GSSAPI EOF dn: cn=barry,cn=groups,cn=accounts,dc=abc,dc=com changetype: modify delete: objectclass

Re: [Freeipa-users] ipa-replica-manage list fail on server 2

FYI.. 160: [04/Jul/2014:12:35:30 +0800] conn=936207 fd=73 slot=73 connection from 192.168.156.89 to 192.168.156.89 163: [04/Jul/2014:12:35:30 +0800] conn=936207 op=-1 fd=73 closed - B1 There is not abt binding but i unsure how to fix .. 2014-07-09 2:01 GMT+08:00 Rich Megginson

Re: [Freeipa-users] ipa-replica-manage list fail on server 2

FOUND something strange that server 1 replicate to itself rather than server2 Server1 access log Wrong [04/Jul/2014:12:35:30 +0800] conn=936207 fd=73 slot=73 connection from 192.168.15.89( server1 ) to 192.168.15.89 (server1) Server 2 access log OK [04/Jul/2014:12:35:30 +0800] conn=936208

Re: [Freeipa-users] ipa-replica-manage list fail on server 2

Yes they are running. Server 1 can syn to server2 but error at server 2 like this. 2014/7/3 下午10:14 於 Rob Crittenden rcrit...@redhat.com 寫道： Please keep relies on the list. barry...@gmail.com wrote: I saw the error beloe and errpr log is it related ? 29/Jun/2014:02:00:58 +0800]

Re: [Freeipa-users] ipa-replica-manage list fail on server 2

Just sure now one side flow is broken, if u update server1 , it 100% work server2 will upgrade. but if u update server2 there is chance non-syn e.g it create username in server1 with posfix grp ok but in server2 it only created posfix grp but no username /attribute it occur serveral times. I have

[Freeipa-users] Rebuild agrrenment of cluster 1 and 2

Now node1 can show ipa-replica-manage list 1.abc.com: master 2.abc.com: master But at node 2 type ipa-replica-manage list Can't contact LDAP server It seem break on one side nod2 any method to rebuild? the server trust build in self ca cert before but then it change to godaddy cert. -- Manage

[Freeipa-users] convert krbExtraData password to plain text

dear all: Is it possible to quiry freeipa 's account password and displan in plain txt ? or convert krbExtraData to plaintxt. rather than reset it. Regards barry ___ Freeipa-users mailing list Freeipa-users@redhat.com

[Freeipa-users] goddday wild card cert error

Dear all: my host is abc.def.com I import a cert *.def.com of godaddy to dirsrv and warning / error prompt any idea? is it i cannot use *.def cert and must use a full host cert . abc.def.com??? Shutting down dirsrv: PKI-IPA... [ OK ]

[Freeipa-users] Handle openssl issue

Dear all: http://heartbleed.com/ openssl announced before. We use 3rd part official cert ref. to this and convert to pck12 format by openssl. ( centos 6.4 ipa 3.0) http://www.freeipa.org/page/Using_3rd_part_certificates_for_HTTP/LDAP any patch for ipa need to added or OS level ? Regards

[Freeipa-users] add a cert of .net insetad of .com error ?

Dear all: I added *.abc.net cet to certutil -d /etc/httpd/alias and /etc/dirsrv/slapd-ABC-COM But error comes out after when i login the UI of service and cick in entry . cannot connect to 'https://cert1.abc.com:443/ca/agent/ca/displayBySerial': [Errno -12276] (SSL_ERROR_BAD_CERT_DOMAIN)

[Freeipa-users] Any coomand can extract the private of the freeipa domain

i want to extract the private key of the self sign cert ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] change min and max lifetime of random password

Found a error today. when browse the cert serices ..is it realte to dog tag system ...how to restart ? Certificate operation cannot be completed: Unable to communicate with CMS (Not Found) ___ Freeipa-users mailing list Freeipa-users@redhat.com

[Freeipa-users] using 3rd party cert not self sign cert in ipa

Dear all: whe install it already genrate a self sign cert called mydomain.com . and run ca service. now i want to check if it ok to install 3rd party replcacing ..so to httpd my ldap it will be https: my co domain (official cert ). and replcabelow. /etc/ipa/ca.crt /usr/share/ipa/html/ca.crt

[Freeipa-users] stop alias of https://abc.com/ipa/ui/

Dear sir: where can i set stop alias of /ipa/ui redirection...and let it just use https://abc.com/ipa/ui/ absolute path? thks barry ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] Export User fields from IPA

No export all func, ..but .it can export one account per time ..so i use a while loop to do it with a txt file. Is there a function to export/create report of these fields from the IPA? I'm not finding anything in the guide. Thanks. These are some of the fields we know will need in a list of

[Freeipa-users] Any command can change the direcoty manager password

hi: I accidently changed uid admin 's password ...and then change back orginal. BUT it seem that it also modify CN+directory manager also can now conflcit.s soem user cann not access using if cn= direcory manager. any idea ? i tried the follwig command it says ssl conenection already

[Freeipa-users] Change admin password will change directory manager also ???

Dear all: As title ? I changed admin (uid) and then change back orginal passwd . It seem it also syn to directoy manager. I wonder Now all applications integrated wih using CN=directory manger all fail to connect authroization fail. Any idea ? should i also change the directory manager password

[Freeipa-users] Grey button in Reset password in the gui

Dear all: I created a account of operator and added roles of user admin with reset /modify passwor priviges. but when he login , the reset password button is grey ? Any permission i should assign more... Now can only add this operator to admin group so all full access right. thks Barry

[Freeipa-users] Allow freeipa send password to user

Is it possible to set allow password to send to user after user request. I used one of the self password service pwm but it seem it is not compatible to retriveal of password using cert request / Answer and questions retrieval thks barry ___

[Freeipa-users] Response attribute to allow user unlock and retreval password

Dear all: Any attribute allow user to retrieve password and response to unlock and allow to send plain text password.? Regards Barry ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users

[Freeipa-users] By default on port 389 , any encryption between client and server

Hi all: Some doc said it already build in TLS on 389 ... is it nsslapd-minssf on the dse.ldif? Should i need to set 636 ldaps ? or set higher nsslapd-minssf enough? What document tell the default secure connection of free ipa? thks barry ___

[Freeipa-users] Upgrade of Free ipa in CENTOS 6

Dear all: Any one have exp to upgrade ipa-server-3.0.0-26.el6_4.4.x86_64 to ipa-server-3.0.0-37.el6_4.4.x86_64 ( jus t minor patch/upgrade it think ) Is it just yum install then ok ??? i notice some official document but they are 3.3 free ipa of fedora ...just yum / run the rpm and not necessary

[Freeipa-users] HOW to Add employeenumber to user easily? there is account object with emoployee number ttribute

Hi: I can make it show on ldap browser or the ui but finding where to add it in command base. ipa user-mod ---employeenumber no such parameter. Moreover can i change the attribute just by name and make use of it. E.g. i found car license no really useful for staff so i want to change the

Re: [Freeipa-users] CentOS IPA Client using Fedora IPA Server - SSO Fails from AD Trust domain

Any one knows how to add new attribute or object class to the user accounts ...eg. added department and id creation date in those users info field. Can use 389 / redhat driectory console ? I tried to edit 99user.ldif seem not shown up new attribute. barry 2014-02-05 Martin Kosek