Last week I joined a debian box to my employer's AD domain. It runs snort on the inside only and otherwise keeps daily backups. There's ssh access, but only from my FQDN.

Now, I'm getting pam_winbind user 'root' granted access emails from logcheck at very frequent intervals and even when no one is here.

I doubt the system is compromised, because it started after the winbind/samba install. I'm not an expert though, so I need some other opinions.

Auth.log has the following typical log entry:

Mar 12 07:39:01 intranet pam_winbind[12935]: user 'root' granted access
Mar 12 07:39:01 intranet CRON[12935]: (pam_unix) session opened for user root by (uid=0)
Mar 12 07:39:02 intranet CRON[12935]: (pam_unix) session closed for user root

Any advice would be great.

Look like CRON job doing something just login as a root and type command:
crontab -l

To list all cron job and you should get an answer.