I have my pam.d setup on my RHEL 4.6 machines. I set up the system-auth with the following line:
password required pam_unix.so nullok use_authtok md5 shadow \
remember=5

I just need somebody to tell me that I am all wet or that I understand it correctly.

My understanding is that if a password for Joe expires, the /etc/shadow file drops the encrytped password for Joe, essentially, Joe has no password. BUT
when Joe tries to login, pam_unix.so sees that Joe has an account (/etc/passwd) but his encrypted password field in /etc/shadow is null. Joe is then allowed to enter a new password which must pass the pam_cracklib.so parameters (use_authtok). If there was no nullok, then Joe would not be identified as a valid user with an expired password and would not be allowed to choose a new password.

So is that correct or am I dreaming?